Apple, Google, & Microsoft: New Passwordless Sign-in
In a joint effort, tech giants Apple, Google, and Microsoft announcedon May 5th, World Password Day that they have committed to building support for passwordless sign-in.
Across all of the mobile, desktop, and browser platforms that these big tech companies control in 2022.
Effectively, this means that passwordless authentication will come to all major device platforms in the not too distant future: Android and iOS mobile operating systems; Chrome,Safari, and Edge browsers; and the Windows and macOS desktop environments.
This will ultimately help establish new, more secure sign-in methods that offer better protection by eliminating the vulnerabilities of passwords, increasing cyber security overall.
A passwordless login process will let users choose their phones as the main authentication device for apps, websites, and other digital services.
Unlocking the phone with whatever is set as the default action, such as entering a PIN, drawing a pattern, or using fingerprint unlock, will be enough to sign in to web services without the need to ever enter a password.
This is all made possible through the use of a unique cryptographic token called a passkey, by FIDO Alliance’s passwordless secure authentication technology, that is shared between the phone and website.
The cross-platform functionality, uses the principles of public key cryptography to enable passwordless authentication and multi-factor authentication in a range of contexts.
Your phone could store a unique FIDO-compliant passkey and will share it with a website for authentication only when the phone is unlocked.
Passkeys can also be easily synced to a new device from cloud backup in the event that a phone is lost.
The idea is that users will simultaneously benefit from simplicity and security. Without a password, there will be no obligation to remember login details across services or compromise security by reusing the same password in multiple places.
Equally, a passwordless system will make it much more difficult for hackers to compromise login details remotely since signing in requires access to a physical device.
Hopefully, this will make phishing attacks much harder to carry out.
Though many popular applications already included support for FIDO authentication, initial sign-on has required the use of a password before FIDO can be configured — meaning that users were still vulnerable to phishing attacks that see passwords intercepted or stolen along the way.
With passkeys on your mobile device, you’re able to sign in to an app or service on nearly any device, regardless of the platform or browser the device is running.
For example, users can sign-in on a Google Chrome browser that’s running on Microsoft Windows, while using a passkey on an Apple device.
Sampath Srinivas, product management director for secure authentication at Google and president of the FIDO Alliance, said in an email statement sent to The Verge:
“This extended FIDO support being announced today will make it possible for websites to implement, for the first time, an end-to-end passwordless experience with phishing-resistant security,” said Srinivas.
“This includes both the first sign-in to a website and repeat logins. When passkey support becomes available across the industry in 2022 and 2023, we’ll finally have the internet platform for a truly passwordless future.”
For macOS or iOS, you can start using passkeys now where available. Google plans to open the developer tools needed to implement passkeys on Android “towards the end of 2022.”
Microsoft currently supports passkeys on the web using Windows Hello and will support logging into a MS account using passkeys from an iOS or Android device “in the near future.”
The plot to kill the password has been underway for years, this time there are signs that it may finally succeeded!