Say goodbye to your password and hello to a new era of security.
In recent years, it’s become abundantly clear that passwords are no longer the most secure form of authentication. According to Verizon’s Data Breach Investigations Report (DBIR) 2022, password security issues are responsible for 80% of data breaches worldwide. Despite their flaws, passwords are still the most commonly used form of authentication. Given the dangers of password theft, Google, Microsoft and Apple announced in May this year their plans to support a common passwordless sign-in standard created by the Fast IDentity Online (FIDO) Alliance and the World Wide Web Consortium. Let’s take a deeper dive into the mechanism of passwordless authentication and what plans the three tech giants have in place for a password-free future.
What is FIDO Alliance?
Launched in July 2012, the FIDO Alliance is an open industry association with a single focused mission—to develop and promote authentication standards that will help reduce the world’s over-reliance on passwords. FIDO standards allow you to use multiple forms of authentication including biometrics, voice and facial recognition, Trusted Platform Modules (TPM), USB security tokens, embedded Secure Elements (eSE) and smart cards.
How does passwordless authentication work?
In a passwordless authentication system, users can select the primary device to log on to apps, websites and other services. For instance, you can sign in to your email account using the same method (e.g. fingerprint, PIN or face recognition) that you use to unlock your phone. Then, a one-of-a-kind FIDO sign-in credential or passkey will be generated and shared between your phone and the website. Thus, you don’t have to type in passwords every time you are signing on to web services.
This new approach is more secure than passwords and other legacy methods, like one-time passcodes sent over SMS. Passkey is much safer than signing in with a site-specific password since it’s based on public key cryptography and will only be visible to your online account after unlocking your device. The method employs cryptographic keys and stores credentials for several devices in the cloud.
What are Google, Apple and Microsoft’s plans to support passwordless authentication?
The latest announcement from these companies will allow users to opt into two new features: First, you’ll be able to use your passkeys to sign in to multiple devices, including new ones, without re-enrolling every account. Second, users can use FIDO authentication on their mobile devices to sign in to an app or website on a nearby device, regardless of whether it is running Apple or Android OS.
For example, as per Vasu Jakkal, Microsoft’s vice president for security, compliance, identity and privacy, “Users can sign-in on a Google Chrome browser that’s running on Microsoft Windows—using a passkey on an Apple device.” Apple, Google and Microsoft intend to make the new sign-in standards available across platforms next year.
This makes it much more convenient for users with multiple accounts and passwords—or who always forget their passwords—as all you need is a fingerprint or iris scan. Plus, password-free methods are much more secure than traditional passwords since they cannot be guessed or brute-forced.
Who is winning the race?
So far, Microsoft has been the most aggressive company in embracing passwordless authentication. The company recently announced that its Azure Active Directory service would soon support passwordless sign-ins for Microsoft accounts.
Google has also been looking to adopt passwordless methods for a while. In January 2021, the tech company announced that Chromebooks would be getting new features that will allow users to sign in to devices and websites faster and personalize their lock screens. Users can sign in to websites with Google’s Web Authentication, called WebAuth, with their fingerprint (if their devices come with a fingerprint scanner) or a device login PIN rather than a site-specific password. Websites that support WebAuth will notify you if it’s an option before you enter your login information.
Potential drawback of passwordless login method
Despite the convenience, there are a few drawbacks to using passwordless methods like the FIDO Alliance’s passkey system. Firstly, passwordless login is still in its infancy, so not all websites accept them as of yet. Secondly, according to Ralph Rodriguez, the President and Chief Product Officer at digital identity trust company Daon, passkeys are not as strong as other FIDO standards (e.g. voice, touch and face recognition). With financial institutions, passkeys can’t be used on transactions because they cannot verify a user’s identity, which is mandatory due to Know Your Customer (KYC) standards. Thus, passkeys can pose heightened risks of synthetic fraud. So, users may still have to rely on other methods (like passwords) for financial activities.
- Top 3 Cyber Attacks and Data Breaches of 2022
- What Are the Most Common Types of Phishing Attacks?
- What is Data Harvesting And How to Prevent It
- Common Signs of Identity Theft: How Are Our Identities Stolen?
- What Are the Top Five Cybercrimes?
Header image courtesy of Pexels