Apple, Google and Microsoft team up to support passwordless FIDO logins

On May 5, World Password Day, we may have gotten closer to the fact that passwords are a thing of the past.

In a joint effort, tech giants Apple, Google and Microsoft announced Thursday morning that they have pledged to boost support for passwordless login across all mobile, desktop and mobile platforms. of browsers they control over the coming year. In effect, this means that passwordless authentication will arrive on all major device platforms in the not-too-distant future: Android and iOS mobile operating systems; Chrome, Edge and Safari browsers; and Windows and macOS desktop environments.

“Just as we design our products to be intuitive and capable, we also design them to be private and secure,” said Kurt Knight, senior director of platform product marketing at Apple. “Working with the industry to establish new, more secure login methods that provide better protection and eliminate password vulnerabilities is at the heart of our commitment to creating products that provide maximum security and a seamless user experience – the all for the purpose of keeping users’ personal information safe.

A representation of login without a password
Image: FIDO Alliance

A passwordless sign-in process will allow users to choose their phone as the primary authentication device for apps, websites and other digital services, as Google detailed in a blog post on Thursday. Unlocking the phone with whatever is set as the default action – entering a PIN, drawing a pattern or using fingerprint unlock – will then be sufficient to log in to web services without ever needing to enter a password, made possible through the use of a unique cryptographic token called a master key which is shared between the phone and the website.

By making connections dependent on a physical device, the idea is that users will benefit from simplicity and security simultaneously. Without a password, there will be no requirement to remember login information across the Services or compromise security by reusing the same password in multiple places. Similarly, a passwordless system will make it much more difficult for hackers to compromise remote login credentials, since login requires access to a physical device; and, theoretically, phishing attacks where users are directed to a fake website for password capture will be much harder to mount.

Vasu Jakkal, Microsoft vice president for security, compliance, identity and privacy, highlighted the degree of compatibility between platforms. “With passkeys on your mobile device, you can sign in to an app or service on almost any device, regardless of the platform or browser the device is using,” said Jakkal in an emailed statement. “For example, users can sign in on a Google Chrome browser running on Microsoft Windows, using a password on an Apple device.”

Cross-platform functionality is made possible by a standard called FIDO, which uses the principles of public key cryptography to enable passwordless authentication and multi-factor authentication in a range of contexts. A user’s phone can store a unique FIDO-compliant key and share it with a website for authentication only when the phone is unlocked. According to Google’s post, passkeys can also be easily synced to a new device from a cloud backup in case a phone is lost.

Although many popular apps already include support for FIDO authentication, the initial login required the use of a password before FIDO could be configured, meaning users were still vulnerable to attack. phishers who see passwords intercepted or stolen along the way.

But the new procedures will remove the initial requirement for a password, as Sampath Srinivas, director of product management for secure authentication at Google and president of the FIDO Alliance, said in a statement sent to The edge.

“This expanded FIDO support announced today will allow websites to implement, for the first time, an end-to-end passwordless experience with phishing-resistant security,” Srinivas said. “This includes both the first login to a website and repeat logins. When passkey support becomes industry-wide in 2022 and 2023, we will finally have the internet platform for a truly password-free future.

So far, Apple, Google and Microsoft have all said they expect the new connection capabilities to be available on all platforms within the next year, though no roadmap. more specific has been announced. Although the plot to kill the password has been going on for years, there are signs that this time it may have finally succeeded.

Comments are closed.