Goodbye to passwords.. Google, Microsoft and Apple have a new way to log in

For more than a decade, we've been receiving promises that a password-free world is right around the corner.

Now, for the first time, a workable form of passwordless authentication is about to become available to the masses in the form of a standard adopted by Apple, Google and Microsoft, which allows pass keys across platforms and across services rather than through beleaguered passwords.

But one of the main drawbacks was the lack of a viable password recovery mechanism, if forgotten or changed. Another limitation is that most solutions ultimately fail to be truly passwordless, instead giving users options to sign in with Face or fingerprint scans, but these systems eventually reverted to a password, which means phishing, password reuse, and forgetting passcodes—all the reasons we hate passwords—didn't go away.

After all, passwords are notoriously insecure, especially with weak credentials, and their easy guesswork accounts for more than 80% of all data breaches, according to Verizon's annual data breach report.

So, in a rare alliance, Apple, Google and Microsoft have joined forces to expand support for passwordless logins across mobile, desktop, and browsers, while at the same time being more convenient and secure (1).

Not only that, but the new solution to that problem is easier than ever for users, and it is less expensive for big services like the famous Github and Facebook.

It has also been meticulously designed and reviewed by experts in authentication and security.

How will that happen?

The three companies announced expanded support for the passwordless login standard from the FIDO Alliance, an open industry consortium launched in February 2013, with a stated mission to develop and strengthen authentication standards that "help reduce the world's overreliance on passwords." the traffic";

Which means you'll soon be able to use your smartphone to sign into an app or website on a nearby device, no matter what operating system or browser you're using, just using the same procedure you do multiple times each day to unlock your smartphone, like checking your Your fingerprint, face scan, or device PIN.

If you're using a modern smartphone, you'll know how to do it.

Instead of asking you to enter a password, websites - whatever they are - will send a notification to your phone asking you to verify your identity. You just authenticate using the same method you normally use to unlock your phone. This could be entering your PIN, or using your phone's fingerprint sensor. Or use the face unlock system.

Fido's passkey system also allows you to use one of your other existing devices for authentication by sending an unlock request to that device using Bluetooth.

As long as your phone or laptop is nearby, you can log in this way anywhere.

The three companies have long supported the passwordless login standard created by the Fido Alliance, and you may have noticed this on their first login from a new browser, but users are still forced to log into every website or app with every device before they can Use the feature without a password.

Over the next year, the three tech giants will implement passwordless login standards across macOS, Android and Windows.

This means that, for example, users will be able to sign in to the Google Chrome browser running on Microsoft Windows, using a passkey on their Apple device.

Besides, the credentials will be stored online so that they are available when the current phone is replaced or lost;

This solves another problem that has plagued some users of multi-factor authentication (currently in use), which is the risk of accounts being banned when phones are lost or stolen.

Recoveries work using a device that's already confirmed as yours to download credentials, no password required.

What about safety?

“That’s really the point here, there is no recovery process because the private key is instantly available across the user’s devices, they just need to verify themselves on their devices to log into their pre-registered accounts,” wrote Andrew Shekiar, CEO of the Fido Alliance. “If the question is about cloud recovery of the device (for example, how do I get back to my iCloud account?) this is something that every platform provider manages, and they all have very secure ways to ensure that recovery is possible for real users”(2).

Besides giving end users a more usable login process, the software also offers robust security protection that goes beyond what is available from most online services today.

“While any multi-factor authentication is better than none, Fido is the only phishing-resistant, and the gold standard for multi-factor authentication,” says Bob Lord, Senior Technical Adviser in the Cybersecurity and Infrastructure Security Agency. .

It is also important to note that this passkey scheme does not replace two-factor authentication, it only replaces the password with a similar technology.

The Fido Alliance published this in a research paper in March outlining the concept, but the announcement of the major companies' pledge came on World Password Day (3).

Because of all of the above, it will be difficult for hackers to hack the login details remotely, because the login requires access to a physical device.

“Working with the industry to create new, more secure login methods that provide better protection and eliminate password vulnerabilities is fundamental to our commitment to building products that provide maximum security and a transparent user experience, all with the goal of retaining users,” said Kurt Knight, Senior Apple's platform product marketing directors, in a press release (4).

Therefore, even if a remote attacker tries to log in, account owners will not be able to use their passkeys to authenticate the transaction, since the phone or other authentication device must be physically close to the user's computer before it displays the Do you want to log in dialog box. ?”, so a scammer in another city, state, or country would not be able to start logging in and implement a known technique like the current authentication techniques.

Lord and other security experts say passkeys also eliminate the need to enter a password without compromising the security guarantees that most current forms of multiple authentication offer.

alternative system

Most of the multi-authentication method consists of a password and a security token: anything I know, something I have.

The new system offers another, easier form of the usual: something I own (my phone) and something I have (your fingerprint or face scan).

Andrew Shekiar, CEO of the Fido Alliance, said he expects offerings to begin by the end of this year and early next year.

“Each platform provider has their own initial deployment schedules over the next year,” Shekiar wrote. “Once all three companies have fully implemented the system, users will be able to take advantage of the passkey functionality for cross-device passwordless logins on a device platform, and they can also Moving from one platform to another. This last procedure is performed via local Bluetooth pairing in a new protocol that is included in the Fido specification."

"Personal information is secure".

This new collective commitment was lauded by Jane Easterly, Director of the US Cybersecurity and Infrastructure Security Agency (CISA), who called it “a kind of forward-looking thinking.” Easterly added: “Today is an important milestone in the security journey to encourage embedded security best practices, and help us bypass passwords. The Internet is a team sport, and we are pleased to continue our cooperation”(4).

On the other hand, some find that getting rid of passwords entirely is a difficult and complicated prospect, given that they've been the actual way to verify your identity online for decades, and many people would hate to give up the convenient and familiar way of logging in.

However, using the big browsers in this new way is a big step.

We may never have to type nAsC4rr0xx420!

once again.

While the password has so far survived many attempts to crack it permanently, this may be one of the last nails in the password's casket.

——————————————————————–

Sources

1- 2022 Data Breach Investigations Report:

2- How Apple, Google, and Microsoft will kill passwords and phishing in one stroke:

3- FIDO Alliance white paper guides enterprise MFA choices, Summit details unveiled:

4- Apple, Google and Microsoft team up on passwordless logins: