On May 5th, World Password Day, we may have taken another step toward the abolition of passwords.
Apple, Google, and Microsoft announced Thursday morning that they will work together to build support for passwordless sign-in across all of their mobile, desktop, and browser platforms in the coming year. This effectively means that passwordless authentication will be available in the not-too-distant future for all major device platforms, including Android and iOS mobile operating systems, Chrome, Edge, and Safari browsers, and Windows and macOS desktop environments.
“Just as we design our products to be intuitive and capable, we also design them to be private and secure,” said Kurt Knight, senior director of platform product marketing at Apple. “Working with the industry to establish new, more secure sign-in methods that offer better protection and eliminate the vulnerabilities of passwords is central to our commitment to building products that offer maximum security and a transparent user experience — all with the goal of keeping users’ personal information safe.”
According to a blog post published Thursday by Google, a passwordless login process will allow users to use their phones as the primary authentication device for apps, websites, and other digital services. Unlocking the phone with whatever action is set as the default — entering a PIN, drawing a pattern, or using fingerprint unlock — will then be sufficient to sign in to web services without the need to ever enter a password, made possible by the use of a unique cryptographic token called a passkey that is shared between the phone and the website.
By making logins contingent on a physical device, the idea is that users will simultaneously benefit from simplicity and security. Without a password, there will be no obligation to remember login details across services or compromise security by reusing the same password in multiple places. Equally, a passwordless system will make it much more difficult for hackers to compromise login details remotely since signing in requires access to a physical device; and, theoretically, phishing attacks where users are directed to a fake website for password capture will be much harder to mount.
Microsoft’s vice president of security, compliance, identity, and privacy, Vasu Jakkal, emphasized the degree of platform compatibility. “With passkeys on your mobile device, you can sign in to an app or service on nearly any device, regardless of the platform or browser,” Jakkal explained in an emailed statement. “For example, using a passkey on an Apple device, users can sign in on a Google Chrome browser running on Microsoft Windows.”
The cross-platform functionality is enabled by the FIDO standard, which employs public key cryptography principles to enable passwordless authentication and multi-factor authentication in a variety of contexts. When a user’s phone is unlocked, it can store a unique FIDO-compliant passkey and share it with a website for authentication. Passkeys can also be easily synced to a new device from cloud backup in the event that a phone is lost, according to Google’s post.
Though many popular applications already supported FIDO authentication, initial sign-on required the use of a password before FIDO could be configured, leaving users vulnerable to phishing attacks in which passwords are intercepted or stolen along the way.
However, the new procedures will eliminate the need for a password, according to Sampath Srinivas, product management director for secure authentication at Google and president of the FIDO Alliance, in an email statement to The Verge.
“This extended FIDO support being announced today will make it possible for websites to implement, for the first time, an end-to-end passwordless experience with phishing-resistant security,” said Srinivas. “This includes both the first sign-in to a website and repeat logins. When passkey support becomes available across the industry in 2022 and 2023, we’ll finally have the internet platform for a truly passwordless future.”
So far, Apple, Google, and Microsoft have all stated that the new sign-in capabilities will be available across platforms within the next year, though no specific timeline has been announced. Although the plot to kill the password has been ongoing for years, there are signs that it may have finally succeeded this time.