In honor of World Password Day — May 5th — the world’s biggest technology companies have announced an alliance to end our dependence on passwords. This would mean no more using passwords on any major platform, including desktop, mobile, and web browsers. No passwords on Windows, MacOS, Chrome, Edge, Android, iOS, Safari, etc. It’s certainly sounds appealing, but obviously questions about security remain.
Today Microsoft, Apple, and Google announced a joint venture to implement FIDO sign-in standards across their respective platforms. FIDO stands for Fast Identity Online, and instead of a password, people will use their phones to authenticate their identity. The phone stores a passkey, and it will only share it with a website or app once the phone is unlocked. With FIDO all you will need to do when trying to access a site that’s asking for your password is to unlock your phone; whether by FaceID, fingerprint, or similar method. You can still access your passkey even if you lose your phone according to Google. It will be synced to the cloud, and be resent to your new device. The companies will begin implementing the changes in the coming year, extending into 2023.
FIDO is already in use by a plethora of apps and sites, but previously a password was required to enable and configure it. The expansion of its support by Microsoft, Google, and Apple will get rid of that requirement. According to Apple’s press release, it will deliver”anend-to-end passwordless experience.” Despite this group acceptance of FIDO by these companies, companies who make apps and websites will still have to choose to adopt it. It won’t be something that’s automatically applied to everything right away. As Google noted in its blog post, “we understand it will still take time for this technology to be available on everyone’s devices and for website and app developers to take advantage of them.”
In light of this news, nobody would reasonably claim the current password situation isn’t a security nightmare. Most people have so many passwords they can’t remember them all. This leads to people reusing passwords, or using simple passwords, which is a security risk. FIDO says the average internet user has over 90 different accounts that require a password. There are current workarounds for this problem including two-factor authentication (2FA) and password managers. However, people have to take the initiative and actively enable 2FA on sites that support it, or figure out how to use a password manager. Both of those steps can be a heavy lift for a lot of users. What these tech companies are doing is essentially implementing multi-factor authentication globally, for all users. It’s unclear if a user will have to opt-in to this new method of authentication once it’s supported by their devices, but it sounds like it’ll be automatically enabled.
Now for the questions it raises. Is having to unlock your phone safer than the standard two-factor authentication? It seems like it. When you get a code sent to your phone via SMS it flashes on the screen, assuming notifications are enabled. Anyone can see that code. There’s also the issue of SIM swapping, which isn’t widespread or cheap for scammers, but it does happen. This lets a scammer redirect the 2FA code to their own phone. As for law enforcement’s rights, that’s a whole other can of worms. A police officer can’t force you to give up a passcode for a phone, but the issue of using biometrics to unlock a phone is still murky. Generally speaking, “something you know” is still safer from a security perspective than “something you are.”
Now Read:
- Security Researcher: ‘solarwinds123’ Password Left Firm Vulnerable in 2019
- Microsoft: Pluton Chip Will Bring Xbox-Like Security to Windows PCs
- Microsoft Spots Android Ransomware That Hijacks Your Home Button