The first Thursday of May is apparently “World Password Day,” and to celebrate Apple, Google, and Microsoft are launching a “joint effort” to kill the password. The major OS vendors want to “expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium.”
The standard is being called either a “multi-device FIDO credential” or just a “passkey.” Instead of a long string of characters, this new scheme would have the app or website you’re logging in to push a request to your phone for authentication. From there, you’d need to unlock the phone, authenticate with some kind of pin or biometric, and then you’re on your way. This sounds like a familiar system for anyone with phone-based two-factor authentication set up, but this is a replacement for the password rather than an additional factor.
A graphic has been provided for the user interaction:
Some push 2FA systems work over the Internet, but this new FIDO scheme works over Bluetooth. As the whitepaper explains, “Bluetooth requires physical proximity, which means that we now have a phishing-resistant way to leverage the user’s phone during authentication.” Bluetooth has a terrible reputation for compatibility, and I’m not sure “security” has ever been a real concern, but the FIDO alliance notes that Bluetooth is just “to verify physical proximity” and that the actual sign-in process “does not depend on Bluetooth security properties.” Of course, that means both devices will need Bluetooth on board, which is a given for most smartphones and laptops but could be a tough ask for older desktop PCs.
Similar to how a password manager can unify your logins under a single password, your passkeys can be backed up by some big platform-holder like Apple or Google. This would let you easily bring your credentials to a new device, prevent you from losing them, and make it easy to sync passkeys across devices. If you lose your device, you can still recover your accounts by signing in (uh—with a password?) to your big platform-holder account. It may also be a good idea to have more than one device set up as an authenticator.
Companies have been trying to go “passwordless” for years, but getting there has been tough. Google has a whole timeline on its blog post starting from 2008. Passwords work fine if they are long, random, secret, and unique, but the human element of passwords is always a problem. We aren’t great at memorizing long, random strings of characters. It’s tempting to write down passwords or reuse them, and phishing schemes try to trick you into giving your password to a third party. When a security breach happens, username and password pairs are easy to share, and there are huge databases of compromised credentials out there.
The FIDO blog post says: “These new capabilities are expected to become available across Apple, Google, and Microsoft platforms over the course of the coming year.” Apple, which seems to have started the whole “passkey” trend, already has a system up and running in iOS 15 and macOS Monterey, but it’s not compatible with other platforms yet. Google’s passkey support has already been spotted in Play Services on Android, so it should quickly be supported by even older Android devices as soon as it’s ready.
Listing image by FIDO Alliance
https://arstechnica.com/?p=1852374