As the internet world grapples with security breaches that result mainly from easy and misused passwords, leading tech giants are teaming up to find a lasting solution.
Apple, Google and Microsoft are planning to kill off the use of passwords across mobile, desktop and browsers. They have announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium, a press statement published on Apple’s website said.
The goal is to make faster, easier, and more secure sign?ins available to consumers across leading devices and platforms.
- Register for Tekedia Mini-MBA (Jun 6 – Sep 3, 2022)
- Pay N60,000 ($140) by May 11 early bird deadline; otherwise, N70,000 ($150): Register here.
Passwords have been a notorious target for hackers and malware as people use weak passwords thereby accounting for most of all data breaches. According to cybersecurity experts, common, simple passwords continue to make the annual weak password list despite repeated warnings. Also managing so many passwords is cumbersome for consumers and this often leads users to reuse the same ones across services.
While password managers and legacy forms of two-factor authentication offer incremental improvements, there has been industry-wide collaboration to create sign-in technology that is more convenient and more secure.
“Just as we design our products to be intuitive and capable, we also design them to be private and secure,” said Kurt Knight, Apple’s Senior Director of Platform Product Marketing. “Working with the industry to establish new, more secure sign-in methods that offer better protection and eliminate the vulnerabilities of passwords is central to our commitment to building products that offer maximum security and a transparent user experience — all with the goal of keeping users’ personal information safe.”
The new standard promotes the use of a “multi-device FIDO credential” or a “passkey”. This is supposed to simplify sign-ins across devices, websites, and applications no matter the platform — without the need for a single password.
“The standards developed by the FIDO Alliance and World Wide Web Consortium and being led in practice by these innovative companies is the type of forward-leaning thinking that will ultimately keep the American people safer online. I applaud the commitment of our private sector partners to open standards that add flexibility for the service providers and a better user experience for customers,” said Jen Easterly, Director of the U.S. Cybersecurity and Infrastructure Security Agency.
“At CISA, we are working to raise the cybersecurity baseline for all Americans. Today is an important milestone in the security journey to encourage built-in security best practices and help us move beyond passwords. Cyber is a team sport, and we’re pleased to continue our collaboration.”
FIDO authentication already facilitates passwordless sign-in across some websites and apps, but the major difference with this plan is to ensure that the process is more widely adopted, and more secure due to an end-to-end passwordless option.
How will this new passwordless standard work?
Users do not have to sign-in for the initial login across every website or app, on every individual device, to enable passwordless access in the first place. All you have to do is to simply login by unlocking your phone and that’ll automatically unlock the account.
“This milestone is a testament to the collaborative work being done across the industry to increase protection and eliminate outdated password-based authentication,” said Mark Risher, Senior Director of Product Management, Google. “For Google, it represents nearly a decade of work we’ve done alongside FIDO, as part of our continued innovation towards a passwordless future.”
For extra security, this new standard will use Bluetooth to verify physical proximity. This means that both devices should have bluetooth capabilities. According to FIDO, “Bluetooth requires physical proximity, which means that we now have a phishing-resistant way to leverage the user’s phone during authentication.”
Passkeys can be backed up to cloud services to make it easy to authenticate new devices and sync passkeys across devices. Users can set up multiple devices as authenticators.
FIDO says that “These new capabilities are expected to become available across Apple, Google, and Microsoft platforms over the course of the coming year.” This means that the passwordless FIDO sign-in standards would be implemented across macOS and Safari; Android and Chrome; and Windows and Edge.
“The complete shift to a passwordless world will begin with consumers making it a natural part of their lives. Any viable solution must be safer, easier, and faster than the passwords and legacy multi-factor authentication methods used today,” says Alex Simons, Corporate Vice President, Identity Program Management at Microsoft.
“By working together as a community across platforms, we can at last achieve this vision and make significant progress toward eliminating passwords. We see a bright future for FIDO-based credentials in both consumer and enterprise scenarios and will continue to build support across Microsoft apps and services.”