Apple† google and Microsoft announced this week that they will soon support an approach to authentication that avoids passwords altogether, instead requiring users to unlock their smartphones only to log into websites or online services. Experts say the changes should help defeat many types of phishing attacks and lighten the overall password burden for Internet users, but be warned that a true passwordless future for most websites could be years away.
The tech giants are part of an industry-led effort to replace passwords that are easily forgotten, often stolen by malware and phishing schemes, or leaked and sold online in the wake of corporate data breaches.
Apple, Google, and Microsoft are some of the more active contributors to a passwordless login standard developed by the FIDO (“Fast Identity Online”) Alliance and the World Wide Web Consortium (W3C), groups that have worked with hundreds of tech companies over the past decade. to develop a new login standard that works similarly across multiple browsers and operating systems.
According to the FIDO Alliance, users can log into websites using the same action they take multiple times a day to unlock their devices, including a device PIN or biometric data such as a fingerprint or facial scan.
“This new approach protects against phishing and logins will be radically more secure compared to passwords and legacy multi-factor technologies such as one-time passcodes sent via SMS,” the alliance wrote on May 5.
Sampath SrinivasGoogle’s director of security authentication and president of the FIDO Alliance, said under the new system, your phone stores a FIDO credential, called a “password,” which is used to unlock your online account.
“The password makes logging in much more secure as it is based on public key cryptography and is only shown to your online account when you unlock your phone,” Srinivas wrote. “To log into a website on your computer, all you need to do is have your phone nearby and you’ll be prompted to unlock it to access it. Once you’ve done this, you won’t need your phone anymore and you can log in by unlocking your computer.”
if ZDNet notes, Apple, Google, and Microsoft already support these passwordless standards (eg, “Sign in with Google”), but users must log in to each website to use the passwordless functionality. With this new system, users can automatically access their password on many of their devices — without having to re-register each account — and use their mobile device to log into an app or website on a nearby device.
Johannes UlrichDean of Research at the SANS Technology Institute, called the announcement “by far the most promising attempt to solve the authentication challenge.”
“The most important part of this standard is that users don’t have to buy a new device, but instead can use devices they already have and know how to use them as an authenticator,” Ullrich said.
Steve Bellovinaa professor of computer science at Columbia University and an early internet researcher and pioneer, called the passwordless effort a “huge advance” in authentication, but said it will be a very long time before many websites catch up.
Bellovin and others say a potentially tricky scenario in this new passwordless authentication scheme is what happens when someone loses their mobile device, or their phone breaks, and they can’t remember their iCloud password.
“I worry about people who can’t afford an extra device, or can’t easily replace a broken or stolen device,” Bellovin said. “I’m concerned about forgotten password recovery for cloud accounts.”
Google says that even if you lose your phone, “your passkeys will be securely synced to your new phone from cloud backup, so you can pick up where your old device left off.”
Apple and Microsoft also have cloud backup solutions that customers using these platforms can use to recover from a lost mobile device. But Bellovin said a lot depends on how securely such cloud systems are managed.
“How easy is it to add another device’s public key to an account, without authorization?” Bellovin wondered. “I think their protocols make it impossible, but others disagree.”
Nicholas Weaverteacher at the computer science department of University of California, Berkeleysaid websites should still have a recovery mechanism in place for the “you’ve lost your phone and password” scenario, which he described as “a very difficult problem to solve securely and already one of the biggest weaknesses in our current system.”
“If you forget the password and lose your phone and can recover it, it’s a huge target for attackers,” Weaver said in an email. “If you forgot the password and lose your phone and CANNOT, well, you’ve lost your authorization token used to login. It will have to be the last. Apple has the infrastructure to support it (iCloud keychain), but it’s unclear if Google does.”
Still, he said, the overall FIDO approach has been a great tool for improving both security and usability.
“It’s really a really good step forward, and I’m excited to see this,” Weaver said. “Taking advantage of the strong authentication of the phone owner’s phone (if you have a decent passcode) is quite nice. And at least for the iPhone, you can make this robust, even for phone compromises, since it’s the secure enclave that would handle this and the secure enclave doesn’t trust the host OS.”
The tech giants said the new passwordless capabilities will be enabled “over the next year” on Apple, Google and Microsoft platforms. But experts said it will likely be several more years before smaller web destinations adopt the technology and ditch passwords altogether.
Recent research shows that far too many people still reuse or recycle passwords (slightly modifying the same password), posing an account takeover risk when those credentials are eventually exposed to a data breach. A report in March from a cybersecurity firm SpyCloud found that 64 percent of users reuse passwords for multiple accounts, and 70 percent of credentials compromised in previous breaches are still in use.
A March 2022 White Paper on the FIDO approach is available here (pdf). An FAQ about this can be found here.