The first Thursday in May is apparently “World Password Day,” and to celebrate Apple, Google and Microsoft are launching a “joint effort” to kill the password. operators wish to “extend support for a common passwordless login standard created by the FIDO Alliance and the World Wide Web Consortium”.
The standard is called either a “multi-device FIDO credential” or simply an “access key”. Instead of a long string of characters, this new scheme would have the app or website you log in to send an authentication request to your phone. From there, you’ll need to unlock the phone, authenticate yourself with some sort of PIN or biometric, and then you’re on your way. It looks like a familiar system to anyone who has set up phone-based two-factor authentication, but it’s a password replacement rather than an additional factor.
A graph has been provided for the user interaction:
Some 2FA push systems work over the internet, but this new FIDO scheme works over Bluetooth. As the white paper explains, “Bluetooth requires physical proximity, which means we now have a phishing-resistant way to exploit the user’s phone during authentication.” Bluetooth has a terrible reputation for compatibility, and I’m not sure “security” was ever a real concern, but the FIDO alliance notes that Bluetooth is just “for checking physical proximity” and the actual connection process “does not depend on Bluetooth security properties”. Of course, that means both devices will need Bluetooth on board, which is a given for most smartphones and laptops, but might be a tough ask for older desktop PCs.
Similar to how a password manager can unify your logins under a single password, your access keys can be backed up by a large platform holder like Apple or Google. This would allow you to easily bring your credentials to a new device, prevent you from losing them, and make it easier to synchronize access keys between devices. If you lose your device, you can still recover your accounts by logging in (er, with a password?) to your large platform holder account. It may also be a good idea to have more than one device configured as an authenticator.
Businesses have been trying to go “password-free” for years, but it’s been hard to get there. Google has a whole timeline on their blog post from 2008. Passwords work well if they’re long, random, secret, and unique, but the human element of passwords is still a problem. We are not good at memorizing long random strings of characters. It’s tempting to write passwords down or reuse them, and phishing schemes try to trick you into giving your password to someone else. When a security breach occurs, username and password pairs are easy to share, and there are huge databases of compromised credentials.
FIDO’s blog post states, “These new features are expected to be available across Apple, Google, and Microsoft platforms in the coming year. Apple, which seems to have started the whole passkey trend, already has a working system in iOS 15 and macOS Monterey, but it’s not compatible with other platforms yet. Support for Google’s passkey has already been spotted in Play Services on Android, so it should soon be supported by even older Android devices as soon as it’s ready.
List image by FIDO Alliance