Apparently the first Thursday of May is “World Password Day” and celebrated appleAnd The GoogleMicrosoft launchesjoint effort“To kill the password. Major operating system vendors” want to expand support for the subscriber password-less login standard created by the FIDO Alliance and the World Wide Web Consortium. “
The standard is called either “FIDO multi-device credentials” or just a “passkey”. Instead of a long string of characters, this new system will contain the app or website you’re signed into to send a request to your phone for authentication. From there, you’ll need to unlock the phone, authenticate with some sort of PIN or biometrics, and then you’re on your way. This sounds like a familiar system to anyone with a phone-based two-factor authentication, but it’s a password replacement rather than an extra factor.
User interaction graphic provided:
Some 2FA payment systems work online, but the new FIDO scheme works via Bluetooth. As the white paper explains, “Bluetooth technology requires physical proximity, which means we now have a phishing-resistant way to take advantage of a user’s phone during authentication.” Bluetooth has a poor reputation for compatibility, and I’m not sure that “security” was ever a real concern, but the FIDO Alliance notes that Bluetooth is only for “physical proximity verification” and that the actual login process “does not depend on Bluetooth’s security properties. Of course, this means that both devices will need Bluetooth on board, which is a given for most smartphones and laptops but could be a tough demand for older desktop computers.
Similar to how a password manager can unify your logins under a single password, your passkeys can be backed up by some large platform owners like Apple or Google. This will allow you to easily bring your credentials to a new device, prevent you from losing them, and make it easier to sync passkeys across devices. If you lose your device, you can still recover your accounts by logging in (uh – with a password?) to the large platform owner account. It may also be a good idea to have more than one device set up as an authenticator.
Companies have been trying to operate “without a password” for years, but getting there has been difficult. Google has full schedule In a blog post starting from 2008. Passwords work fine if they are long, random, confidential and unique, but the human element of passwords is always an issue. We’re not good at memorizing long, random strings of characters. It is tempting to type or reuse passwords, and phishing schemes try to trick you into giving your password to a third party. When a security breach occurs, username and password pairs are easy to share, and there are huge databases of hacked credentials.
“These new capabilities are expected to become available across Apple, Google and Microsoft platforms over the next year,” says the FIDO blog post. Apple, which appears to have kicked off the entire “passkey” trend, already has a system that works in iOS 15 and macOS Monterey, but it not compatible With other platforms so far. Google already support passkey was spotted It’s in Play Services on Android, so it should be quickly supported by older Android devices once they’re ready.
Listing image by FIDO Alliance