A future without passwords may be closer than we think, at least when a new initiative to enlist your smartphone as a mobile authenticator gets off the ground.
On Thursday, the FIDO Alliance announced a new type of authentication that would use passkeys stored on your phone to unlock your online accounts without requiring a password. Google, Apple and Microsoft are all on board with the new method and have promised that their respective operating systems will support this technology.
Passwords have always been a poor way to secure our accounts. We’re constantly told to create a strong, complex and unique password for each account. But that’s a difficult task, leading many people to use weak and repetitive passwords, which can easily be compromised and used in data breaches and account takeovers. Such tools as password managers have provided some relief but still chain us to this clumsy and ineffective means of authentication.
With support from Google, Apple and Microsoft, the new authentication method will store a FIDO-based passkey on your mobile phone. That key will be encrypted to protect it from compromise and will be accessible only when you unlock your phone. When you try to sign into an app or website either on the phone itself, a nearby computer or other device, that passkey will automatically log you in regardless of the operating system or browser and without you having to enroll or re-enroll your device. If you switch to a new phone, your passkey will make the trip with you.
To allow the passkey to be transmitted, you’ll use the same methods you normally use to unlock your smartphone, such as a PIN, fingerprint scan or facial recognition. The new approach will protect against phishing attacks and be more secure than passwords and multi-factor authentication methods, the FIDO Alliance said.
“To sign into a website on your computer, you’ll just need your phone nearby, and you’ll simply be prompted to unlock it for access,” Google explained. “Once you’ve done this, you won’t need your phone again, and you can sign in by just unlocking your computer. Even if you lose your phone, your passkeys will securely sync to your new phone from cloud backup, allowing you to pick up right where your old device left off.”
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Google said that it will implement this new password-less technology in Android and Chrome. Apple will support it in iOS, MacOS and Safari. Microsoft will do the same for Windows and its Edge browser.
This gives app and website developers the task of implementing the technology to allow for passwordless logins, a process that will require the use of APIs offered by the operating systems and browsers.
Though no specific deadlines or timelines were revealed, Google said that the passkey support will become available across the industry in 2022 and 2023, while the FIDO Alliance said that the new capabilities are expected to become available from Apple, Google and Microsoft over the coming year.
“The complete shift to a passwordless world will begin with consumers making it a natural part of their lives,” said Alex Simons, corporate VP for product management at Microsoft. “Any viable solution must be safer, easier and faster than the passwords and legacy multi-factor authentication methods used today. By working together as a community across platforms, we can at last achieve this vision and make significant progress toward eliminating passwords. We see a bright future for FIDO-based credentials in both consumer and enterprise scenarios.”
Subscribe to the Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays