Chromebook users can sign in to websites with a PIN or fingerprint.
Image: Getty Images/iStockphoto
Google has finally brought Web Authentication (WebAuthn) passwordless authentication to Chrome OS to allow users to sign in to websites with a PIN or fingerprint used to unlock a Chromebook.
WebAuthn allows people to register and authenticate on websites or apps using an “authenticator” – such as a fingerprint or PIN – instead of a password. The World Wide Web Consortium (W3C) made WebAuthn an official web standard in 2019.

Of course, to take advantage of the Chrome OS version 88 update, people need to have a Chromebook with a fingerprint reader. But the feature also supports a device PIN, which is still easier to remember than passwords for every website. 
SEE: Managing and troubleshooting Android devices checklist (TechRepublic Premium)
“Websites that support WebAuthn will let you use your Chromebook PIN or fingerprint ID – if your Chromebook has a fingerprint reader – instead of the password you’ve set for the website,” says Alexander Kuscher, director of Chrome OS.
Additionally, people who use Google’s two-step verification to sign in to a Google account don’t need to use a security key or phone to authenticate since the Chromebook PIN or fingerprint ID can be used as the second factor. 
Sites that support WebAuthn include Google, Dropbox, GitHub, Okta, Twitter and Microsoft. Google last year rolled out an update so people with iPhones could use WebAuthn with more types of security keys as the second factor to sign into a Google account.

As an added bonus, Google has rolled out a feature with Chrome OS 88 that lets students and workers personalize the lockscreen with photos from Google Photos or art gallery images. Chrome OS also lets users check the weather and music playing, as well as control pause, skip and play in a locked state.  
WebAuthn on Chrome OS devices is likely to be a welcome addition for students who use Chromebooks for remote learning as the COVID-19 pandemic rolls on. These days, the demand for laptops around the clock has forced many parents to buy a cheap laptop, and Chromebooks are a popular option compared to more expensive Windows laptops and macOS laptops. 
SEE: Cybersecurity: This ‘costly and destructive’ malware is the biggest threat to your network
Acer in January unveiled the Chromebook Spin 514 convertible laptop with a 14-inch full HD touchscreen, protected by Gorilla Glass, and powered by AMD’s new Ryzen 3000 C-Series mobile processors. 
At the higher end, Samsung trimmed some features to bring down the cost of its 2-in-1 Galaxy Chromebook. The Galaxy Chromebook 2 features a 13.3-inch QLED display with 1,920×1,080-pixel resolution and comes with an Intel 10th-gen Core i3-10110U or Celeron 5205U processors. The previous model featured a 4K AMOLED display and an Intel Core i5 processor.  More

Source: Apple Apple says it prevented over 1.6 million risky and untrustworthy apps and app updates from reaching the App Store and stopped over $1.5 billion in fraudulent transactions in 2021.  Apple produced its first fraud prevention analysis last year, detailing it had prevented one million potentially bad apps from the App Store and protected customers […] More

Kerry Wan/ZDNETSamsung took the hard road when it launched the ultra-thin and lightweight Galaxy S25 Edge More

Microsoft has released 44 security fixes for August’s Patch Tuesday, with seven of the vulnerabilities being rated critical. There were three zero days included in the release and 37 were rated as important. 

ZDNet Recommends

Thirteen of the patches involved a remote code execution vulnerability while another eight revolved around information disclosure. The affected tools included .NET Core & Visual Studio, ASP.NET Core & Visual Studio, Azure, Windows Update, Windows Print Spooler Components, Windows Media, Windows Defender, Remote Desktop Client, Microsoft Dynamics, Microsoft Edge (Chromium-based), Microsoft Office, Microsoft Office Word, Microsoft Office SharePoint and more.One of the most prominent patches released in the latest batch covers the Windows Print Spooler Remote Code Execution vulnerability, which has been a major topic of discussion since it was discovered in June. Microsoft also faced backlash from the security community for bungling the release of patches meant to address the issue. The fixed zero day bugs include:The Windows Update Medic Service Elevation of Privilege vulnerability is the only one that has been exploited in the wild, according to Microsoft’s report, but they do not explain how, where, or by whom. Security expert Allan Liska said CVE-2021-36948 stood out to him because of its similarities to CVE-2020-17070, which was published in November 2020.

“Obviously, it is bad that it is being exploited in the wild, but we saw almost the exact same vulnerability in November of 2020 but I can’t find any evidence that that was exploited in the wild,” Liska said. “So, I wonder if this is a new focus for threat actors.”Liska added that CVE-2021-26424 is a vulnerability to keep and eye on because its a Windows TCP/IP Remote Code Execution vulnerability impacting Windows 7 through 10 and Windows Server 2008 through 2019.”While this vulnerability is not listed as publicly disclosed or exploited in the wild, Microsoft did label this as ‘Exploitation More Likely’ meaning that exploitation is relatively trivial. Vulnerabilities in the TCP/IP stack can be tricky. There was a lot of concern earlier this year around CVE-2021-24074, a similar vulnerability, but that has not been exploited in the wild,” Liska explained. “On the other hand, last year’s CVE-2020-16898, another similar vulnerability, has been exploited in the wild.” The LSA spoofing vulnerability is related to an advisory Microsoft sent out late last month about how to protect Windows domain controllers and other Windows servers from the NTLM Relay Attack known as PetitPotam.Discovered in July by French researcher Gilles Lionel, the PetitPotam take on the NTLM Relay attack can “coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw function.” It was never found to have been exploited. The Zero Day Initiative noted that Adobe also released two patches addressing 29 CVEs in Adobe Connect and Magento. ZDI said it submitted eight of the bugs in the recent Microsoft report and explained that this is the smallest number of patches released by Microsoft since December 2019. They attributed the decline to resource constraints considering Microsoft devoted extensive time in July responding to events like PrintNightmare and PetitPotam.”Looking at the remaining Critical-rated updates, most are of the browse-and-own variety, meaning an attacker would need to convince a user to browse to a specially crafted website with an affected system,” ZDI said.”One exception would be CVE-2021-26432, which is a patch for the Windows Services for NFS ONCRPC XDR Driver. Microsoft provides no information on how the CVSS 9.8 rated vulnerability could be exploited, but it does note that it needs neither privileges or user interaction to be exploited.”The next Patch Tuesday is September 14.  More

The New South Wales Police Force has teamed up with Australia’s major telcos — Telstra, Optus, and TPG — to launch a national SMS geo-targeting alert system to enhance the search for “high-risk” missing persons across the state.
Using the new system, mobile devices in defined areas where police hold grave concerns for the missing person will be sent alerts, a brief description, and information on how to report any sighting of the individual.
NSW Police Force stated the system would be used in cases when a “high-risk” person is missing, which include cases involving people with dementia, children with disabilities, and young people who go missing in large crowds.
“Police always act as quickly as possible to find anyone who is reported missing and this tool will mean the public will be able to assist almost immediately,” Minister for Police David Elliot said.
“The community should never underestimate the crucial role they can play in potentially saving someone from harm and if you receive this message we ask that you keep your eyes out and help police to reunite someone with their loved ones.”
Telstra, Optus, and TPG will roll out the tool by using the existing emergency framework.
“We’re thrilled to be assisting the NSW Police Force Missing Persons Registry with the ability to notify the community in critical missing persons cases and hope it will help our first responders make some happy reunions,” Telstra Enterprise chief customer officer John Ieraci said.

The system was first introduced by states and territories after the 2009 Victorian Black Saturday bushfires where alerts within specific areas were sent in the event of likely emergency situations, such as flood, bushfire, or other extreme weather conditions.
Extending the use of the system to missing persons was established following a review of the state’s police operations that led to the establishment of the Missing Persons Registry and the implementation of new systems and procedures that came into effect in July 2019.
The introduction of such a tool comes at a time when several concerns are being raised about the legislative framework that governs Australia’s intelligence community and the power that they could potentially hold over entities such as those in telecommunications. Some that are currently under the microscope include the pending Critical Infrastructure Bill, Online Safety Bill, and the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020.
Related Coverage More