Apple, Google and Microsoft expand support for FIDO sounds like the opening line of a joke. However, it is anything but, and it is a great move by all three companies. The goal is to deliver expanded support for a common passwordless sign-in standard. The standard has been developed by the FIDO Alliance and the World Wide Web Consortium (WWWC).
In many ways, this move shouldn’t come as a surprise to anyone. All three companies have been working for some time to eliminate passwords for authentication. This latest move to support the FIDO Alliance and WWWC standard could be critical.
The industry giants say that they expect the new capabilities they are announcing to become available over the coming year. That means sometime before the middle of 2023.
Andrew Shikiar, executive director and CMO of the FIDO Alliance, said, “‘Simpler, stronger authentication’ is not just FIDO Alliance’s tagline — it also has been a guiding principle for our specifications and deployment guidelines.
“Ubiquity and usability are critical to seeing multi-factor authentication adopted at scale, and we applaud Apple, Google, and Microsoft for helping make this objective a reality by committing to support this user-friendly innovation in their platforms and products.
“This new capability stands to usher in a new wave of low-friction FIDO implementations alongside the ongoing and growing utilization of security keys — giving service providers a full range of options for deploying modern, phishing-resistant authentication.”
What are Apple, Microsoft and Google doing?
Much of the groundwork here has already been done. Existing support for FIDO initiatives means people already use biometrics to sign into billions of devices. Additionally, all modern web browsers also support passwordless access to apps that run in them.
What is planned here is a significant extension around two key elements.
- Allow users to automatically access their FIDO sign-in credentials (referred to by some as a “passkey”) on many of their devices, even new ones, without having to reenroll every account.
- Enable users to use FIDO authentication on their mobile device to sign in to an app or website on a nearby device, regardless of the OS platform or browser they are running.
The goal of these two changes is to reduce further the use of passwords. Most apps and websites still require you to log in when you first use the device. Additionally, many, such as financial apps, will allow you only a limited number of uses before requiring you to put in your credentials again. That opens up a window of opportunity for an attack. It also persuades users to write down complex passwords.
The idea here is that you have universal access once you have set up your login to a device. Some browsers, such as Brave, already allow you to share password files across multiple devices and OS. The goal is now to extend that further
Enterprise Times: What does this mean?
Before anyone gets overexcited and thinks this is the death knell for passwords, take a breath. There are many places where passwords are likely to persist for a long time due to the costs and knowledge gaps in implementing passwordless solutions.
It will also be interesting to see how the password manager vendors engage. There is a limited number who are already working with FIDO. They believe that passwords are here for at least the medium-haul. Will they be proven wrong? Will they look to adapt their technology to be part of this change? How many will survive in a post password world?
The most important thing here is that three industry giants are engaging positively in a single announcement to end one of the biggest security pain points. While this may not be the singular knock-out blow for passwords, we are close to the end game.
According to Jake Moore, Global Cyber Security Advisor at ESET, “We are still a way off a passwordless future, but it is encouraging that Microsoft, Google and Apple are attempting to pave the way to make account access secure as well as convenient. This isn’t something that can be achieved overnight, but it highlights that more needs to be done when it comes to password security.
“Passwords, however, have a part to play in account security as they can be changed and don’t directly rely on unique device identifiers such as your phone.
“Cybercriminals will inevitably attempt to circumnavigate by looking for ways to exploit this method as nothing remains hackproof, but like with any early adoption of new technology, this is a great start and we are likely to see a decent version of this in the near future.”