In an attempt to go passwordless, Apple, Google, and Microsoft have decided to kill the password using the Passkey standard, also called multi-device FIDO credential.
To commemorate “World Password Day,” Apple, Google, and Microsoft are initiating a “joint effort” to eliminate the password on the first Thursday of May. “Expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium,” the major OS vendors say.
The standard is referred to as a “passkey” or a “multi-device FIDO credential.” Instead of a long string of characters, the app or website you’re logging into would send a request for authentication to your phone. You’d then need to unlock the phone, authenticate with a pin or biometric, and then you’d be good to go. Anyone who has set up phone-based two-factor authentication would recognize this approach, although it is a replacement for the password rather than an additional component.
For user involvement, a graphic has been provided:
Some two-factor authentication systems use the Internet, whereas the new FIDO technique uses Bluetooth. “Bluetooth requires physical proximity,” according to the whitepaper, “which means we now have a phishing-resistant way to use the user’s phone during authentication.” The FIDO alliance states that Bluetooth is only used “to verify physical proximity” and that the actual sign-in procedure “does not depend on Bluetooth security properties.” Bluetooth has a bad reputation for compatibility, and I’m not sure “security” has ever been a significant problem, but Of course, both devices will require Bluetooth, which is standard on most smartphones and laptops but may be difficult to get on older desktop PCs.
Subscribe to GreatGameIndia
Your passkeys can be backed up by a large platform-holder like Apple or Google, similar to how a password manager can combine your logins under a single password. This would make it simple to transfer your credentials to a new device, prevent them from being lost, and sync passkeys between devices. If you lose your smartphone, you can still restore your accounts by logging into your big platform-holder account (uh—with a password?). It may also be a good idea to set up multiple devices as authenticators.
For years, companies have attempted to go “passwordless,” but the process has proven difficult. Starting in 2008, Google has a complete timeline on their blog post. Long, random, secret, and unique passwords are good, but the human element of passwords is always a concern. Long, random strings of characters are difficult for us to remember. It’s easy to forget or reuse passwords, and phishing scams attempt to fool you into disclosing your password to a third party. When there is a security breach, username and password pairs are easy to exchange, and there are large databases of compromised credentials available.
“These new capabilities are expected to become available across Apple, Google, and Microsoft platforms over the course of the coming year,” according to the FIDO blog post. Apple, which appears to have pioneered the “passkey” trend, has a mechanism in place in iOS 15 and macOS Monterey, but it is not currently compatible with other platforms. Google’s passkey support has already been found in Play Services on Android, indicating that it will soon be supported by even older Android devices.