The first Thursday in May is apparently “World Password Day”and to celebrate, Apple, Google and Microsoft are making a “joint effort “to kill the password. Major OS vendors want to “extend support for the common passwordless login standard created by the FIDO Alliance and the World Wide Web Consortium.”
The standard is referred to as either “multi-device FIDO credentials”or simply “access key”. Instead of a long string of characters, this new scheme will have the app or website you sign in to send a request to your phone for authentication. From there, you’ll need to unlock your phone, authenticate with some kind of pin or biometric, and then you’re on your way. It sounds like a familiar system to anyone with phone-based two-factor authentication set up, but it’s a password replacement, not an additional factor.
Graphics have been provided for user interaction:
Some push 2FA systems work over the Internet, but this new FIDO scheme works over Bluetooth. As the white paper explains, “Bluetooth requires physical proximity, which means we now have a phishing-resistant way to use the user’s phone during authentication.”Bluetooth has a terrible reputation for compatibility and I’m not sure “security”was ever a real concern, but the FIDO alliance notes that Bluetooth is only for “physical proximity checking”and that the actual login process is “not affected by security properties”. Bluetooth”. Of course, this means both devices will need Bluetooth on board, which is a given for most smartphones and laptops, but can be a daunting task for older desktop PCs.
Just as a password manager can consolidate your logins under a single password, your passwords can be copied by some big platform holder like Apple or Google. This will allow you to easily transfer your credentials to a new device, prevent them from being lost, and make it easier to sync passwords between devices. If you lose your device, you can still recover your accounts by logging in (well, with a password?) to your larger platform owner account. It may also be a good idea to set up more than one device as an authenticator.
Companies have been trying to eliminate passwords for years, but it hasn’t been easy to achieve. Google has an entire timeline on their blog dating back to 2008. Passwords work fine if they are long, random, secret, and unique, but the human factor in passwords is always a problem. We are bad at remembering long random strings of characters. It’s tempting to write down passwords or reuse them, and phishing schemes try to trick you into giving your password to a third party. When a security breach occurs, username and password pairs are easily exchanged and huge databases of compromised credentials exist.
A FIDO blog post states: “These new capabilities are expected to become available on Apple, Google and Microsoft platforms over the next year.”Apple, which seems to have started the whole “passkey”trend, already has the system working in iOS 15 and macOS Monterey, but it’s not yet compatible with other platforms. Google password support has already been seen in Play Services on Android, so it should be quickly supported by even older Android devices once it’s ready.
Listing image from FIDO Alliance