Last month, Microsoft, Google and Apple all announced that they will expand their support for the passwordless standard set by the FIDO Alliance and World Wide Web (W3) Consortium. For anyone not familiar, FIDO is short for Fast Identity Online. And the Alliance is an association working to create authentication standards that reduce the world’s over-reliance on passwords. Members include global tech leaders from enterprise, payments, telecom, government and healthcare. With this announcement, it seems safe to say that a passwordless future is right around the corner.
Why passwords have failed us
Saying passwords have “failed us” might be an overstatement; strong and unique passwords can provide a high level of security. The failure actually lies with the human factor. Weak passwords can be stolen or guessed. In fact, this accounts for more than 80% of all data breaches. And a recent Google/Ipsos survey found that 20% of Americans admit to using easy-to-guess terms. This included personal data, like names and birthdates, which are easy for hackers to figure out. One of every three says they shared their passwords with someone or have access to someone else’s passwords. And a full 65% of respondents say they reuse passwords. Passwords are the root cause of most attacks — including account takeovers, advanced persistent threats, and ransomware. And over the past year, the number of password attacks has more than doubled, to a staggering 921 per second.
No better alternatives…until now
Until now there have been no better options for data security among the general public than passwords. Passwords were adopted without issue because the concept was simple to understand and basic practice easy to follow. And people have just gotten used to using them. Many organizations, as well as more tech-savvy individuals, have learned to strengthen protection by employing password managers and multifactor authentication. Yet even those methods are not completely infallible: Password managers still rely on the use of passwords; secondary authentication factors can be intercepted using social engineering techniques. Once again, the human factor is still at play with both.
How passwordless authentication works…exactly
To sign into a website or app on your phone, you will simply unlock your phone. Your phone will now have an encrypted FIDO passkey stored in it, which is used to unlock any online account or app. The passkey makes signing in far more secure, as it’s only shown to your online account when you unlock your phone. To sign into a website on your computer, you’ll just need your phone nearby and you’ll be prompted to unlock it for access. From that point on, you’ll no longer need your phone and can sign in just by unlocking your computer. “This new approach protects against phishing and sign-in will be radically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes sent over SMS,” according to the FIDO Alliance.
Cross-device and cross-platform
By expanding support for the new standard, Apple, Google, and Microsoft will make logins easier across mobile devices and desktops. Mobile devices will be used as a way to sign into an app or website on another nearby device. And once activated, users will be able to access their FIDO sign-in passkeys across all of their devices: No more logging in to every app or website on every device. At Google, this new form of passwordless authentication will be rolled out over the remainder of the year in Android and Chrome. Apple and Microsoft also committed to expanding the passwordless standard on their platforms. Best news of all is that this standardization will be cross-platform. What does this mean? Ideally, you could sign into a website via Google Chrome on a Windows machine using a passkey on an Apple device. Extra security and convenience at the same time.