SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Apple, Google and Microsoft expands plans to get rid of passwords
Fri, 6th May 2022
FYI, this story is more than a year old

A world where user identities can be verified without relying on passwords is getting closer after Apple, Google and Microsoft announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium.

This new capability will allow websites and apps to offer consistent, secure and easy passwordless sign-ins to consumers across devices and platforms.

FIDO Alliance says password-only authentication is one of the biggest security problems on the web. Managing so many passwords is cumbersome for consumers, which often leads consumers to reuse the same ones across services.

The Alliance says this practice can lead to costly account takeovers, data breaches and even stolen identities. While password managers and legacy forms of two-factor authentication offer incremental improvements, there has been industry-wide collaboration to create sign-in technology that is more convenient and more secure.

FIDO Alliance says the expanded standards-based capabilities will give websites and apps the ability to offer an end-to-end passwordless option.

Users will sign in through the same action they take multiple times each day to unlock their devices, such as a simple verification of their fingerprint or face or a device PIN.

This new approach protects against phishing, and sign-in will be radically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes sent over SMS.

FIDO Alliance CMO and executive director Andrew Shikiar says simpler and stronger authentication is the company's guiding principle for their specifications and deployment guidelines.

"Ubiquity and usability are critical to seeing multi-factor authentication adopted at scale, and we applaud Apple, Google and Microsoft for helping make this objective a reality by committing to support this user-friendly innovation in their platforms and products," he says.

FIDO Alliance says hundreds of technology companies and service providers worldwide worked within the FIDO Alliance and W3C to create the passwordless sign-in standards that are already supported in billions of devices and all modern web browsers.

It says Apple, Google and Microsoft have led the development of this expanded set of capabilities and are now building support into their respective platforms.

FIDO Alliance says these companies' platforms already support FIDO Alliance standards to enable passwordless sign-in on billions of industry-leading devices, but previous implementations required users to sign into each website or app with each device before they can use passwordless functionality.

The latest announcement extends these platform implementations to give users two new capabilities for more seamless and secure passwordless sign-ins.

First, users can automatically access their FIDO sign-in credentials (referred to by some as a passkey) on many of their devices, even new ones, without re-enrolling every account.

Second, users can use FIDO authentication on their mobile device to sign in to an app or website on a nearby device, regardless of the OS platform or browser they are running.

These new capabilities are expected to become available across Apple, Google and Microsoft platforms over the course of the coming year.

FIDO Alliance says in addition to facilitating a better user experience, the broad support of this standards-based approach will enable service providers to offer FIDO credentials without needing passwords as an alternative sign-in or account recovery method.

Apple's senior director of platform product marketing Kurt Knight says privacy and security are important.

"Working with the industry to establish new, more secure sign-in methods that offer better protection and eliminate the vulnerabilities of passwords is central to our commitment to building products that offer maximum security and a transparent user experience all with the goal of keeping users personal information safe," he says.

Google's senior director of product Management Mark Risher says this milestone is a testament to the collaborative work being done across the industry to increase protection and eliminate outdated password-based authentication.

"We look forward to making FIDO-based technology available across Chrome, ChromeOS, Android and other platforms, and encourage app and website developers to adopt it, so people around the world can safely move away from the risk and hassle of passwords," he says.

Microsoft identity program management corporate vice president Alex Simons says the world is making significant progress towards eliminating passwords.

"The complete shift to a passwordless world will begin with consumers making it a natural part of their lives. Any viable solution must be safer, easier, and faster than the passwords and legacy multi-factor authentication methods used today," he says.

"We see a bright future for FIDO-based credentials in both consumer and enterprise scenarios and will continue to build support across Microsoft apps and services."

The FIDO (Fast IDentity Online) Alliance was formed in July 2012 to address the lack of interoperability among strong authentication technologies and remedy the problems users face with creating and remembering multiple usernames and passwords.