Jul 09, 2021 06:00:00

Apple's new privacy protection feature 'Private Relay' disables risk-based authentication

Risk-based authentication (RIBA) is a method of requesting additional confirmation when a user using an Internet service accesses from a different terminal or location than usual. Apple has announced ' private relay ' as a new privacy protection function, but since private relay encrypts the user's IP address, it is suspected that it will disable RIBA, which uses the IP address. As identity expert Florian Forster points out:

IMO - Risk Based Authentication is broken
https://zitadel.ch/blog/imo-rba-is-broken/

Apple announced a new privacy protection function `` Private Relay '' at the developer event ` ` WWDC 2021 '' held on June 8, 2021. Private Relay is a feature that anonymizes users' web browsing behavior. You can read the specific mechanism in the following article.

Apple's new privacy protection function ``Private Relay'' cannot be used in China-GIGAZINE

Apple's private relay first sends the user's IP address and 'encrypted access destination URL' to Apple. Apple then encrypts your IP address and sends it along with an encrypted URL to relay stations operated by partnered content providers. And the relay station is the mechanism that decrypts the encrypted URL and provides the user with access to the target website.

What is important in the private relay mechanism is that ``Apple knows the user's IP address, but does not know the site to be accessed'' and ``The affiliated content provider knows the site to be accessed, but does not know the user's IP address. ” is the point. Since no operator knows both your exact IP address and the sites you visit, the risk of misuse of your data is greatly reduced.

However, with the activation of Apple's private relay, there are concerns about what RIBA should be. RIBA judges that there is a possibility of spoofing if the information such as the IP address, OS, browser, etc. A mechanism for requesting confirmation. Since RIBA uses IP addresses to determine whether it is the person himself or not, if the IP address across the content provider side is encrypted, RIBA itself will not function.

In fact, Mr. Forster confirmed that the private relay setting screen has an item of 'IP address / location', and on this setting screen, 'Private relay does not disclose user's Internet activity. Protect web browsing on Safari with full IP masking and web traffic encryption, and protect you when using applications and can prevent ISPs from profiling users.'

Also, in the item about IP address, 'We recommend using' Approximate Location 'so that websites can provide local content in Safari.' Broader Location (broader location information) ' can also be used, but in that case it may affect the search results of the content.' It is suggested that the choice will affect the search results.

Some argue that it is possible to continue using RIBA by using a user's fingerprint , but cookies and other fingerprints are being regulated. For this reason, as a solution, Mr. Forster proposes to move away from using RIBA and consider a new session management method that does not use passwords. In fact, it is reported that Apple is developing a 'passkey' function that allows you to log in to web services with just Face ID or Touch ID without a password.

Apple is developing a 'passkey' function that allows you to log in to web services with just Face ID or Touch ID without a password - GIGAZINE