The idea of living in a world where we no longer have to worry about passwords sounds very appealing. And Apple, Google, and Microsoft have taken on the challenge of making it possible in the not too distant future. The three corporations have committed to expanding support for the FIDO standard, which will allow users to access all of their services from any platform without the need to use a password to log in.
Without a doubt, this will mean a very important evolution in terms of authentication. Of course, it stands to reason that many are still reluctant to ditch the use of passwords altogether; however, the promoters of this initiative assure that the methodology is safer than other multi-factor verification systems, and its use is much simpler.
In simple terms, what the FIDO standard allows is to use of a general physical method of authentication. Thus, if we take a smartphone as an example, users do not need more than their preferred unlocking method — fingerprint, PIN, pattern, FaceID — to access the services or platforms they want, without having to remember the passwords of each one.
The system works because the mobile stores a passkey or access key based on public key cryptography to access the different accounts. That FIDO login credential is only displayed when the user unlocks the phone using their preferred mode, as noted above.
Google, Apple, and Microsoft raise their bet on the FIDO standard
It is worth noting that both Google and Apple and Microsoft already support the FIDO Alliance standards in some of their products. However, users must manually log in to each service (app or web) or each device before activating keyless access. What the new commitment proposes is to go a step further with the addition of two specific functions that we will detail below.
The first is to allow users to use their passkey on different devices without having to manually activate the system for each account or service. This is interesting because it even covers the configuration of new equipment, such as when we change our smartphone for a newer model.
The second is that the FIDO credential allows approving the login on another device from the mobile, even with a different browser or OS. Thus, for example, if we want to access our bank account from Safari on a Mac, we can approve the login from an Android mobile through the fingerprint reader.
According to the FIDO Alliance, these new features will start rolling out to Microsoft, Apple, and Google platforms starting in 2023. In fact, those from Mountain View have already indicated that they will bring the login without passwords to both Android, Chrome, and ChromeOS.
The FIDO Alliance ensures that the use of your credential or passkey is the great answer to the problem of managing multiple passwords. Its promoters indicate that 80% of data leaks occur due to the misuse of passwords and that this is due in large part to the enormous number of online services that any individual uses today.
It is estimated that a user today can have more than 90 online accounts and this leads to another serious drawback: the repetition of passwords. Therefore, they consider that using a physical medium – a smartphone, in this case – as a mandatory authentication route is a crucial method to avoid hacks and identity theft.
Fewer passwords, more security
Logically, the idea of a future without passwords does not come without questions. What do we do if we lose the mobile that we use to authenticate ourselves in all our services? According to Google, that won’t be a problem. “Even if you lose your phone, our access keys will be securely synced to the new device from the cloud backup, allowing you to pick up right where you left off on the old device,” they wrote in their blog.
However, it is not entirely clear how users will authenticate on a new device to access the backed-up keypass. However, the FIDO Alliance, they have published a “manual” of recommended practices so as not to lose access to accounts in case of losing the main means of verification.
In this sense, it is recommended to encourage users to register multiple authenticators to their accounts. That way, if they lose one device, they can use another to maintain access. The possibility of implementing USB keys to store the FIDO credentials is also indicated; as well as that the services themselves have account recovery methods to verify the identity of the users.
We’ll see how this story progresses. The truth is that the big technology companies have taken the initiative to achieve the long-awaited future without passwords. It is logical to think that the change will not happen overnight and that, at the same time, it will require an important learning process for the general public.