Sometime this year or next, we may finally get to say goodbye to our passwords. Google, Apple and Microsoft have all extended their commitment to building passwordless support into their device platforms.
Over the next year, the three tech giants will implement passwordless FIDO sign-in standards across Android and Chrome; iOS, macOS and Safari; and Windows and Edge. This means that, sooner or later, you won’t need a password to log into devices, websites or applications. Instead, your phone will store a FIDO credential called a passkey, which is used to unlock your device — and your entire online account.
A passkey is significantly more secure than a password because it’s protected with cryptography and is only shown to your online account when you unlock your device. Passwords, meanwhile, leave us vulnerable to phishing scams and our own bad habits, like using the same password across accounts.
The three companies’ platforms actually already support passwordless sign-in standards created by the FIDO Alliance, an open standards industry body formed to solve password and phishing problems.
However, under previous implementations, users have to sign into each website or app with each device before they can use passwordless functionality. With this extended commitment, users will be able to automatically access their passkey on many of their devices, even new ones, without having to re-enroll every account. Additionally, people will be able to use FIDO authentication on their mobile device to sign into an app or website on a nearby device, regardless of the OS platform or browser they’re running.
Don’t forget your passwords just yet, though. Developers still have to implement passkey experiences into their websites and applications.
To do so, developers can use APIs available in the browsers and operating systems to get cryptographic sign-in messages, which they verify on the server, Sampath Srinivas, Google PM Director for Secure Authentication and president of the FIDO Alliance, explained to ZDNet in a statement provided over email.
These API calls have direct analogues in the password manager world, Srinivas explained. One API call is a direct analogue for “Create a new random password” (it can also create a random username since the user does not need to care about that). Another API call is a direct analogue for “Now play the username and password into the website”. Additionally, this new kind of “password manager” can play a password from a nearby phone onto your computer.
“And finally, on the server-side, just like the developer has to write code to verify passwords, there is a standard way to verify the crypto message which comes from the user’s browser or app,” Srinivas said.
This new collective commitment was commended by Jen Easterly, Director of the US Cybersecurity and Infrastructure Security Agency, who called it “the type of forward-leaning thinking that will ultimately keep the American people safer online.”
“I applaud the commitment of our private sector partners to open standards that add flexibility for the service providers and a better user experience for customers,” said in a statement. “Today is an important milestone in the security journey to encourage built-in security best practices and help us move beyond passwords. Cyber is a team sport, and we’re pleased to continue our collaboration.”