On May 5, World Password Day, we may have come a step closer to making passwords a thing of the past.
In a joint effort, tech giants Apple, Google and Microsoft announced Thursday morning that they are committed to building support for passwordless logins across all the mobile, desktop and browser platforms they manage over the next year. In effect, this means that passwordless authentication will be coming to all major device platforms in the not-too-distant future: Android and iOS mobile operating systems; Chrome, Edge and Safari browsers; and the Windows and macOS desktop environments.
“Just as we design our products to be intuitive and capable, we design them privately and securely,” said Kurt Knight, Apple’s senior director of platform product marketing. “Working with the industry to develop new, more secure login methods that provide greater protection and eliminate password vulnerabilities is central to our commitment to build products that provide maximum security and a transparent user experience — all with the goal of preserving users’ personal information safe.’
A passwordless login process allows users to choose their phone as the primary authentication device for apps, websites and other digital services, as Google detailed in a blog post published Thursday. Unlocking the phone with what’s set as the default action — entering a PIN, drawing a pattern, or using fingerprint unlock — is then enough to log into web services without ever entering a password, made possible. by using a unique cryptographic token called a password that is shared between the phone and the website.
By making logins dependent on a physical device, the aim is for users to benefit from simplicity and security at the same time. Without a password, there is no obligation to remember credentials for different services or compromise security by reusing the same password in multiple places. Similarly, a passwordless system will make it much more difficult for hackers to compromise credentials remotely, as login requires access to a physical device; and in theory, phishing attacks that direct users to a fake website to capture passwords will be much harder to trigger.
Vasu Jakkal, Microsoft’s vice president of security, compliance, identity and privacy, highlighted the level of compatibility between platforms. “With passkeys on your mobile device, you can sign in to an app or service on almost any device, regardless of the platform or browser the device is running on,” Jakkal said in an emailed statement. “For example, users can log into a Google Chrome browser running on Microsoft Windows with a passkey on an Apple device.”
The cross-platform functionality is enabled by a standard called FIDO, which uses the principles of public key cryptography to enable passwordless authentication and multi-factor authentication in various contexts. A user’s phone can store a unique FIDO compliant passcode and share it with a website for authentication only when the phone is unlocked. According to Google’s post, passkeys can also be easily synced to a new device from a cloud backup in the event that a phone is lost.
While many popular applications already include support for FIDO authentication, the first login requires the use of a password before FIDO can be configured – meaning users were still vulnerable to phishing attacks where passwords are intercepted or stolen along the way.
But the new procedures will remove the initial password requirement, as Sampath Srinivas, director of product management for secure authentication at Google and president of the FIDO Alliance, said in an email statement sent to The edge.
“This expanded FIDO support announced today will enable websites to implement an end-to-end passwordless experience with phishing-resistant security for the first time,” said Srinivas. “This includes both the first login to a website and repeated logins. When password key support becomes available across the industry in 2022 and 2023, we will finally have the internet platform for a passwordless future.”
So far, Apple, Google and Microsoft have all said they expect the new login capabilities to be available across all platforms in the coming year, though no more specific roadmap has been announced. While the plot to kill the password has been going on for years, there are signs that it finally worked this time around.