It's finally happening. Microsoft will be ending support for most versions of its Internet Explorer (IE) 11 browser on June 15. ZDNet: Microsoft announced more than a year ago that IE would be removed from most versions of Windows 10 this year and has spent months encouraging customers to get ready by proactively retiring the browser from their organizations. IE 11 will be retired for Windows 10 client SKUs (version 20H2 and later) and Windows 10 IoT (version 20H2 and later). Products not affected by this retirement include IE Mode in Edge; IE 11 desktop on Windows 8.1, Windows 7 (with Extended Security Updates), Windows Server LTSC (all versions), Windows Server 2022, Windows 10 client LTSC (all versions), Windows 10 IoT LTSC (all versions). The IE 11 desktop app is not available on Windows 11, as Edge is the default browser for Windows 11. IE Mode in Microsoft Edge will be supported through at least 2029 to give web developers eight years to modernize legacy apps and eventually remove the need for IE mode, officials have said. According to Net Applications, a web monitoring tool, Internet Explorer still has a market share of 5.21% on desktops and laptops, far behind Chrome at over 69%, to be sure, but still ahead of Apple's Safari, which commands 3.73% market share.

"Two CEOs on a podcast casually proposed a shareable database of worker performance that would follow them between companies, forever, and encouraged listeners to create one," writes Slashdot reader merauder128 , summarizing a recent article on Vice.

"HR professionals say it's a terrible idea."

Vice points out the podcast both the host and guest were CEOs of "data harvesters that package and resell data to other parties." Through one lens, it was a mundane musing between two CEOs of data companies talking about how awesome it would be to have more data on something. But in the context of experiments occurring in the tech industry around hiring practices, it was two influential CEOs encouraging other entrepreneurs to create a business that would be an absolute nightmare for workers, a type of credit score for workers that could be a permanent HR file that follows workers from one job to the next, and where a worker who struggles at one job may have trouble getting another....

It is also in line with a growing trend among tech companies that, spurred by work-from-home and hybrid work, are increasingly interested in quantifying employee performance. The most prominent example is Coinbase introducing an app so employees can constantly rate each other's performances, a scenario even the normally cheery TechCrunch said "sounds rough."

Over the last several years, there has been a boom in employee management software solutions such as Workday, Lattice, CultureAmp that are used across thousands of companies for performance reviews and other sensitive HR tasks. Technologically speaking, what Youakim and Hoffman are talking about is opening those confidential resources — or some condensed version of them that can be easily digested and analyzed — up to everyone.

None of these HR software companies have indicated that they have any intention of doing this.
The article warns that experts who have studied hiring extensively believe a permanent database database "would allow this complete, random mess to follow workers their entire careers, affecting their job prospects, earning potential, and their broader lives." And the article summarizes a reaction to the idea from John Hausknecht, a professor of human resources at Cornell University. "It assumes people don't change, that jobs require similar attributes, that a person's experience at one company is relevant to another where they will be in a different environment with a different manager and different company culture....

"Or, to put it a different way, 'Just because we can track it, collect it, and ask about it,' Hausknecht said, 'doesn't necessarily mean we should.'"

A panel at this week's RSA Conference argued that 90% of security buyers aren't getting the efficacy from their products that vendors claim they can deliver.

Slashdot reader storagedude writes: Joe Hubback of cyber risk management startup ISTARI led both the panel and the study, which was based on in-depth interviews with more than a hundred high-level security officials, including CISOs, CIOs, CEOs, security and tech vendors, evaluation organizations and government organizations.

Hubback said that "90% of the people that I spoke to said that the security technologies they were buying from the market are just not delivering the effect that the vendors claim they can deliver. Quite a shocking proportion of people are suffering from technology that doesn't deliver."

A number of reasons for that product failure came out in the panel discussion, according to eSecurity Planet, but they can be boiled down to some key points:

- Cybersecurity buyers are pressed for time and most don't test the products they buy. "They're basically just buying and hoping that the solutions they're buying are really going to work," Hubback said.

- Vendors are under pressure from investors to get products to market quickly and from sales and marketing teams to make aggressive claims.

- On top of those pressures, it's difficult to architect tools that are effective for a range of complex environments – and equally difficult for buyers to properly assess these "black box" solutions.


Those conditions create an information asymmetry, said Hubback: "A vendor knows a lot more about the quality of the product than the buyer so the vendor is not incentivized to bring high-quality products to market because buyers can't properly evaluate what they're buying."

Hubback and fellow panelists hope to create a GSMA-like process for evaluating security product abilities, and he invited RSA attendees to join the effort.

"Paige Thompson worked as a software engineer in Seattle and ran an online community for other programmers," remembers the New York Times. [Alternate URL here and here.]

"In 2019, she downloaded personal information belonging to more than 100 million Capital One customers, the Justice Department said..." It included 140,000 Social Security numbers and 80,000 bank account numbers (drawn from applications for credit cards). Nearly three years after the disclosure of one of the largest data breaches in the United States, the former Amazon employee accused of stealing customers' personal information from Capital One is standing trial in a case that will test the power of a U.S. anti-hacking law.... She faces 10 counts of computer fraud, wire fraud and identity theft in a federal trial that began Tuesday in Seattle.... Thompson, 36, is accused of violating an anti-hacking law known as the Computer Fraud and Abuse Act, which forbids access to a computer without authorization. Thompson has pleaded not guilty, and her lawyers say her actions — scanning for online vulnerabilities and exploring what they exposed — were those of a "novice white-hat hacker."

Critics of the computer fraud law have argued that it is too broad and allows for prosecutions against people who discover vulnerabilities in online systems or break digital agreements in benign ways, such as using a pseudonym on a social media site that requires users to go by their real names. In recent years, courts have begun to agree. The Supreme Court narrowed the scope of the law last year, ruling that it could not be used to prosecute people who had legitimate access to data but exploited their access improperly. And in April, a federal appeals court ruled that automated data collection from websites, known as web scraping, did not violate the law. Last month, the Justice Department told prosecutors that they should no longer use the law to pursue hackers who engaged in "good-faith security research."

Thompson's trial will raise questions about how far security researchers can go in their pursuit of cybersecurity flaws before their actions break the law. Prosecutors said Thompson had planned to use the information she gathered for identity theft and had taken advantage of her access to corporate servers in a scheme to mine cryptocurrency... The Justice Department has argued that Thompson had no interest in helping Capital One plug the holes in its security and that she cannot be considered a "white hat" hacker. Instead, she chatted with friends online about how she might be able to profit from the breach, according to legal filings.... Some security researchers said Thompson had ventured too far into Capital One's systems to be considered a white-hat hacker.... "Legitimate people will push a door open if it looks ajar," said Chester Wisniewski, a principal research scientist at Sophos, a cybersecurity firm.... But downloading thousands of files and setting up a cryptocurrency mining operation were "intentionally malicious actions that do not happen in the course of testing security," Wisniewski said....

"Thompson scanned tens of millions of AWS customers looking for vulnerabilities," Brown wrote in a legal filing.
The article notes that Capitol One ultimately agreed to pay $80 million in 2020 "to settle claims from federal bank regulators that it lacked the security protocols needed to protect customers' data" and another $190 million to settle a class-action lawsuit representing people whose data was exposed.

Ars Technica reports: Researchers have unearthed a discovery that doesn't occur all that often in the realm of malware: a mature, never-before-seen Linux backdoor that uses novel evasion techniques to conceal its presence on infected servers, in some cases even with a forensic investigation.

On Thursday, researchers and the BlackBerry Threat Research & Intelligence Team said that the previously undetected backdoor combines high levels of access with the ability to scrub any sign of infection from the file system, system processes, and network traffic. Dubbed Symbiote, it targets financial institutions in Brazil and was first detected in November.

Researchers for Intezer and BlackBerry wrote:

"What makes Symbiote different from other Linux malware that we usually come across, is that it needs to infect other running processes to inflict damage on infected machines. Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and parasitically infects the machine. Once it has infected all the running processes, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote access capability...."

So far, there's no evidence of infections in the wild, only malware samples found online. It's unlikely this malware is widely active at the moment, but with stealth this robust, how can we be sure?
"When hooked functions are called, the malware first dynamically loads libc and calls the original function..." according to Blackberry's blog post. "If the calling application is trying to access a file or folder under /proc, the malware scrubs the output from process names that are on its list.... If the calling application is not trying to access something under /proc, the malware instead scrubs the result from a file list....

"Symbiote also has functionality to hide network activity on the infected machine."

"Researchers at MIT have discovered an unfixable vulnerability in Apple Silicon that could allow attackers to bypass a chip's 'last line of defense'," writes the Apple Insider blog, "but most Mac users shouldn't be worried." More specifically, the team at MIT's Computer Science & Artificial Intelligence Laboratory found that Apple's implementation of pointer authentication in the M1 system-on-chip can be overcome with a specific hardware attack they've dubbed "PACMAN." Pointer authentication is a security mechanism in Apple Silicon that makes it more difficult for attackers to modify pointers in memory. By checking for unexpected changes in pointers, the mechanism can help defend a CPU if attackers gain memory access.... The flaw comes into play when an attacker successfully guesses the value of a pointer authentication code and disables it.

The researchers found that they could use a side-channel attack to brute-force the code. PACMAN echoes similar speculative execution attacks like Spectre and Meltdown, which also leveraged microarchitectural side channels. Because it's a flaw in the hardware, it can't be fixed with a software patch.

[A]ctually carrying out the PACMAN attack requires physical access to a device, meaning the average Mac user isn't going to be at risk of exploit. The flaw affects all kinds of ARM-based chips — not just Apple's. The vulnerability is more of a technological demonstration of a wider issue with pointer authentication in ARM chips, rather than an issue that could lead to your Mac getting hacked.
MIT has made more information available at the site PACMANattack.com — including answers to frequently asked questions. Q: Is PACMAN being used in the wild?
A: No.
Q: Does PACMAN have a logo?
A: Yeah!
The MIT team says their discovery represents "a new way of thinking about how threat models converge in the Spectre era." But even then, MIT's announcement warns the flaw "isn't a magic bypass for all security on the M1 chip." PACMAN can only take an existing bug that pointer authentication protects against, and unleash that bug's true potential for use in an attack by finding the correct PAC. There's no cause for immediate alarm, the scientists say, as PACMAN cannot compromise a system without an existing software bug....

The team showed that the PACMAN attack even works against the kernel, which has "massive implications for future security work on all ARM systems with pointer authentication enabled," says Ravichandran. "Future CPU designers should take care to consider this attack when building the secure systems of tomorrow. Developers should take care to not solely rely on pointer authentication to protect their software."
TechCrunch obtained a comment from Apple: Apple spokesperson Scott Radcliffe provided the following: "We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these techniques. Based on our analysis as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass operating system security protections on its own."

Apple's M1 chips have an "unpatchable" hardware vulnerability that could allow attackers to break through its last line of security defenses, MIT researchers have discovered. TechCrunch reports: The vulnerability lies in a hardware-level security mechanism utilized in Apple M1 chips called pointer authentication codes, or PAC. This feature makes it much harder for an attacker to inject malicious code into a device's memory and provides a level of defense against buffer overflow exploits, a type of attack that forces memory to spill out to other locations on the chip. Researchers from MIT's Computer Science and Artificial Intelligence Laboratory, however, have created a novel hardware attack, which combines memory corruption and speculative execution attacks to sidestep the security feature. The attack shows that pointer authentication can be defeated without leaving a trace, and as it utilizes a hardware mechanism, no software patch can fix it.

The attack, appropriately called "Pacman," works by "guessing" a pointer authentication code (PAC), a cryptographic signature that confirms that an app hasn't been maliciously altered. This is done using speculative execution -- a technique used by modern computer processors to speed up performance by speculatively guessing various lines of computation -- to leak PAC verification results, while a hardware side-channel reveals whether or not the guess was correct. What's more, since there are only so many possible values for the PAC, the researchers found that it's possible to try them all to find the right one.

An anonymous reader quotes a report from Bloomberg: Scientists in Australia have discovered that superworms can live and even grow on a diet of only polystyrene, also known colloquially as Styrofoam. Superworm is a common name for the larval stages of the darkling beetle (Zophobas morio). The researchers described their finding as a "first step" in discovering natural enzymes that could be used to recycle this type of plastic. "We envision that polystyrene waste will be collected, mechanically shredded, and then degraded in bioreactors with an enzyme cocktail," said Chris Rinke, a scientist at the University of Queensland and an author of a paper published on Thursday in the journal Microbial Genomics.

In recent years, scientists globally have been looking for microorganisms that can digest plastic, which is how natural materials like wood biodegrade. The idea is that some kind of enzyme engineered from the gut of an insect or bacteria could be used to digest difficult-to-recycle plastic so it could be made into new plastic products, which would reduce the need for virgin plastic. Used for things such as coffee cups and packing peanuts, polystyrene is one of the most common plastics in production. It accounts for "up to 7-10% of the total non-fibre plastic production," according to the paper.

Experimenters divided worms into three groups and fed each a different diet: bran, polystyrene or a starvation diet. The worms that lived on polystyrene were not as healthy as those eating bran, but they were able to eat the Styrofoam and gain weight and complete their life cycle. However, the report also found that the diet had "negative impacts on host gut microbiome diversity and health" of the worms. In other words, they could eat plastics, but it had a cost to them. It would theoretically be possible to keep thousands of worms in an industrial setting to digest plastics. But the researchers say their next goal is to identify and enhance the enzyme the worms use for future applications.

Google today announced a set of new and updated security features for Chrome, almost all of which rely on machine learning (ML) models, as well as a couple of nifty new ML-based features that aim to make browsing the web a bit easier, including a new feature that will suppress notification permission prompts when its algorithm thinks you're unlikely to accept them. From a report: Starting with the next version of Chrome, Google will introduce a new ML model that will silence many of these notification permission prompts. And the sooner the better. At this point, they have mostly become a nuisance. Even if there are some sites -- and those are mostly news sites -- that may offer some value in their notifications, I can't remember the last time I accepted one on purpose. Also, while legitimate sites love to push web notifications to remind readers of their existence, attackers can also use them to send phishing attacks or prompt users to download malware if they get users to give them permission. "On the one hand, page notifications help deliver updates from sites you care about; on the other hand, notification permission prompts can become a nuisance," Google admits in its blog post today. The company's new ML model will now look for prompts that users are likely to ignore and block them automatically. And as a bonus, all of that is happening on your local machine, so none of your browsing data makes it onto Google's servers.

Browser maker Vivaldi's email client has finally hit version 1.0, seven years after it was first announced. From a report: Vivaldi Mail, which includes a calendar and feed reader as well as an email client, first arrived in technical preview in 2020. A slightly wobbly beta arrived last year alongside version 4 of the Chromium-based browser. After another year of polish and tidying of loose ends, the company has declared the client ready.

As before, the client is built into the browser, meaning it is unlikely to appeal to many beyond Vivaldi's existing user base. Enabling it is a simple matter of dropping into Settings pages and wading through until the option to enable Mail, Calendar, and Feeds can be selected. Vivaldi has a lot of settings -- delightfully customizable for some and downright baffling for others. That said, for users still pining for a good old-fashioned email client that doesn't require wading through a web page festooned with adverts, there's a lot to like. It supports multiple accounts, will sort messages and create folders automatically (locally, rather than on a mystery server in the cloud), and permits searching (with indexing performed offline). IMAP and POP3 are supported, making adding a provider relatively straightforward, and the company also claims that users can log into their Google accounts from Mail and Calendar.

Several US federal agencies today revealed that Chinese-backed threat actors have targeted and compromised major telecommunications companies and network service providers to steal credentials and harvest data. BleepingComputer reports: As the NSA, CISA, and the FBI said in a joint cybersecurity advisory published on Tuesday, Chinese hacking groups have exploited publicly known vulnerabilities to breach anything from unpatched small office/home office (SOHO) routers to medium and even large enterprise networks. Once compromised, the threat actors used the devices as part of their own attack infrastructure as command-and-control servers and proxy systems they could use to breach more networks.

"Upon gaining an initial foothold into a telecommunications organization or network service provider, PRC state-sponsored cyber actors have identified critical users and infrastructure including systems critical to maintaining the security of authentication, authorization, and accounting," the advisory explains. The attackers then stole credentials to access underlying SQL databases and used SQL commands to dump user and admin credentials from critical Remote Authentication Dial-In User Service (RADIUS) servers.

"Armed with valid accounts and credentials from the compromised RADIUS server and the router configurations, the cyber actors returned to the network and used their access and knowledge to successfully authenticate and execute router commands to surreptitiously route, capture, and exfiltrate traffic out of the network to actor-controlled infrastructure," the federal agencies added. The three federal agencies said the following common vulnerabilities and exposures (CVEs) are the network device CVEs most frequently exploited by Chinese-backed state hackers since 2020. "The PRC has been exploiting specific techniques and common vulnerabilities since 2020 to use to their advantage in cyber campaigns," the NSA added. Organizations can protect their networks by applying security patches as soon as possible, disabling unnecessary ports and protocols to shrink their attack surface, and replacing end-of-life network infrastructure that no longer receives security patches.

The agencies "also recommend networks to block lateral movement attempts and enabling robust logging and internet-exposed services to detect attack attempts as soon as possible," adds BleepingComputer.

U.S. law enforcement have announced the takedown of SSNDOB, a notorious marketplace used for trading the personal information -- including Social Security numbers, or SSNs -- of millions of Americans. From a report: The operation was conducted by the FBI, the Internal Revenue Service (IRS), and the Department of Justice (DOJ), with help from the Cyprus Police, to seize four domains hosting the SSNDOB marketplace -- ssndob[dot]ws, ssndob[dot]vip, ssndob[dot]club, and blackjob[dot]biz. SSNDOB listed the personal information for approximately 24 million individuals in the United States, including names, dates of birth, SSNs, and credit card numbers, and generated more than $19 million in revenue, according to the DOJ. Chainalysis, a blockchain analysis company, reports separately that the marketplace has received nearly $22 million worth of Bitcoin across over 100,000 transactions since April 2015, though the marketplace is believed to have been active since at least 2013. These figures suggest that some users were buying personally identifiable information from the service in bulk, according to Chainalysis, which also uncovered a connection between SSNDOB and Joker's Stash, a large dark net market focused on stolen credit card information that shut down in January 2021.

An anonymous reader shares a report: Who knows whether it's FOMO or actual customer demand for such a thing, but Salesforce announced today that it's launching a pilot of NFT Cloud, a new platform for buying and selling these crypto assets. It's a turn to the future, according to the company, one it insists comes from customer curiosity. "Salesforce is seeing interest from CMOs and CDOs who are asking for help entering web3, and we are enthusiastic about bringing new innovations, products and offerings to our customers in a way that allows them to build and maintain meaningful relationships with their customers," Adam Caplan, SVP of Emerging Technology at Salesforce told TechCrunch.

The company's goal with this product is to make NFT selling more accessible. "NFT Cloud is all about helping our customers mint, manage and sell NFTs, and of course it's all no code. So it's super easy on our platform, abstracting all the complicated technology in this [new] web3 world," he said. He says he's seeing interest across a variety of verticals including retail, media, fashion and consumer goods, among others. "It's really about driving engagement and communities, and we're seeing super passionate communities in the NFT space..." Caplan explained. He sees it as a way to market to customers with something of potential value to them. "It's really about utility. And what we mean by utility is as an NFT holder, I receive certain benefits. It could be something in a digital world, or it could be something in the physical world," he said.

An anonymous reader quotes a report from TechCrunch: A new security feature in Apple's upcoming macOS 13 Ventura will automatically block new USB-C devices from communicating with the operating system until the accessory can be approved by the user. Apple dropped details of the new security feature in its release notes, which appears to be aimed at protecting newer Apple laptops that run its bespoke M1 or M2 chips from potentially malicious accessories.

According to Apple's description, the feature will be enabled by default and will require the user to approve a USB-C accessory before it can talk to the operating system -- essentially an on-screen pop-up asking the user for permission. Apple says this doesn't apply to power adapters, standalone displays, and connections to an approved hub -- and devices can still charge even if you don't approve the accessory. Apple says that accessories that are already connected will automatically work when updating to the new macOS software.

Bozhidar Batsov writes: Every now and again I come across some discussion on making Emacs "modern". The argument always go more or less like this - Emacs doesn't look and behave like and the world will end if we don't copy something "crucial" from it. [...] If you ask me -- there's pretty much nothing we can do that would suddenly make Emacs as popular as VS Code. But you know what -- that's perfectly fine. After all there are plenty of "modern" editors that are even less popular than Emacs, so clearly being "modern" doesn't make you popular. And there's also our "arch-nemesis" vim, that's supposedly as "dated" as Emacs, but is extremely popular.

The developers behind the open source MongoDB, and its commercial service counterpart MongoDB Atlas, have been busy making the document database easier to use for developers. From a report: Available in preview, Queryable Encryption provides the ability to query encrypted data, and with the entire query transaction be encrypted -- an industry first according to MongoDB. This feature will be of interest to organizations with a lot of sensitive data, such as banks, health care institutions and the government. This eliminates the need for developers to be experts in encryption, Davidson said. This end-to-end client-side encryption uses novel encrypted index data structures, the data being searched remains encrypted at all times on the database server, including in memory and in the CPU. The keys never leave the application and the company maintains that the query speed nor overall application performance are impacted by the new feature.

MongoDB is also now supporting time series data, which are important for monitoring physical systems, quick-moving financial data, or other temporally-oriented datasets. In MongoDB 6.0, time-series collections can have secondary indexes on measurements, and the database system has been optimized to sort time-based data more quickly. Although there are a number of databases specifically geared towards time-series data specifically, such as InfluxDB, many organizations may not want to stand-up an entire database system for this specific use, a separate system costing more in terms of support and expertise, Davidson argued. Another feature is Cluster-to-Cluster Synchronization, which provides the continuous data synchronization of MongoDB clusters across environments. It works with Atlas, in private cloud, on-premises, or on the edge. This sets the stage for using data in multiple places for testing, analytics, and backup.

Apple announced some major new features for Mail that finally bring the email app closer to parity with Gmail and other popular email clients. From a report: Perhaps the most useful will be an undo send feature, which will let you call back an email within 10 seconds of hitting the send button. A "remind me" feature will let you set a time for an email to come back to the top of your inbox. A new scheduled send feature that allows you to specify exactly when an email should go out. And Mail will even tell you when it thinks you've forgotten to include an attachment.

LastPass says they're now the first password manager with a passwordless sign-in feature. Engadget reports: Grant permission through the LastPass Authenticator mobile app and you can update account info on the web without entering your master password. The approach relies on FIDO-compliant password-free technology. The feature is available to both personal and business users. LastPass is also promising options beyond the Authenticator app in the future, such as relying on biometric scans or hardware security keys.

Palermo in Southern Italy, home to about 1.3 million people, has shut down all its services, public websites, and online portals following a cyberattack on Friday. BleepingComputer reports: It's impossible to communicate or request any service that relies on digital systems, and all citizens have to use obsolete fax machines to reach public offices. Moreover, tourists cannot access online bookings for tickets to museums and theaters (Massimo Theater) or even confirm their reservations on sports facilities. Finally, limited traffic zone cards are impossible to acquire, so no regulation occurs, and no fines are issued for relevant violations. Unfortunately, the historical city center requires these passes for entrance, so tourists and local residents are severely impacted.

Italy recently received threats from the Killnet group, a pro-Russian hacktivist who attacks countries that support Ukraine with resource-depleting cyberattacks known as DDoS (distributed denial of service). While some were quick to point the finger at Killnet, the cyberattack on Palermo bears the signs of a ransomware attack rather than a DDoS. The councilor for innovation in the municipality of Palermo, Paolo Petralia Camassa, has stated that all systems were cautiously shut down and isolated from the network while he also warned that the outage might last for a while.

Apple demonstrated "passkeys" at WWDC 2022, a new biometric sign-in standard that could finally kill off the password for good. TechCrunch reports: Passkeys are based on the Web Authentication API (WebAuthn), a standard that uses public-key cryptography instead of passwords for authenticating users to websites and applications, and are stored on-device rather than on a web server. The digital password replacement uses Touch ID or Face ID for biometric verification, which means that rather than having to input a long string of characters, an app or website you're logging into will push a request to your phone for authentication.

During its WWDC demo of the password-free technology, Apple showed how passkeys are backed up within the iCloud Keychain and can be synced across Mac, iPhone, iPad and Apple TV with end-to-end encryption. Users will also be able to sign in to websites and apps on non-Apple devices using an iPhone or iPad to scan a QR code and Touch ID or Face ID to authenticate. "Because it's just a single tap to sign in, it's simultaneously easier, faster and more secure than almost all common forms of authentication today," said Garrett Davidson, an Apple engineer on the Authentication Experience team.