On May 5th — World Password Day — we might have come one step closer to passwords being a thing of the past.
In a joint effort, tech giants Apple, Google, and Microsoft announced Thursday morning that they have committed to building support for passwordless sign-in across all of the mobile, desktop, and browser platforms that they control in the coming year. Effectively, this means that passwordless authentication will come to all major device platforms in the not too distant future: Android and iOS mobile operating systems; Chrome, Edge, and Safari browsers; and the Windows and macOS desktop environments.
“Just as we design our products to be intuitive and capable, we also design them to be private and secure,” said Kurt Knight, senior director of platform product marketing at Apple. “Working with the industry to establish new, more secure sign-in methods that offer better protection and eliminate the vulnerabilities of passwords is central to our commitment to building products that offer maximum security and a transparent user experience — all with the goal of keeping users’ personal information safe.”
A passwordless login process will let users choose their phones as the main authentication device for apps, websites, and other digital services, as Google detailed in a blog post published Thursday. Unlocking the phone with whatever is set as the default action — entering a PIN, drawing a pattern, or using fingerprint unlock — will then be enough to sign in to web services without the need to ever enter a password, made possible through the use of a unique cryptographic token called a passkey that is shared between the phone and the website.
By making logins contingent on a physical device, the idea is that users will simultaneously benefit from simplicity and security. Without a password, there will be no obligation to remember login details across services or compromise security by reusing the same password in multiple places. Equally, a passwordless system will make it much more difficult for hackers to compromise login details remotely since signing in requires access to a physical device; and, theoretically, phishing attacks where users are directed to a fake website for password capture will be much harder to mount.
Vasu Jakkal, Microsoft’s vice president for security, compliance, identity, and privacy, emphasized the degree of compatibility across platforms. “With passkeys on your mobile device, you’re able to sign in to an app or service on nearly any device, regardless of the platform or browser the device is running,” Jakkal said in an emailed statement. “For example, users can sign-in on a Google Chrome browser that’s running on Microsoft Windows—using a passkey on an Apple device.”
The cross-platform functionality is being made possible by a standard called FIDO, which uses the principles of public key cryptography to enable passwordless authentication and multi-factor authentication in a range of contexts. A user’s phone can store a unique FIDO-compliant passkey and will share it with a website for authentication only when the phone is unlocked. Per Google’s post, passkeys can also be easily synced to a new device from cloud backup in the event that a phone is lost.
Though many popular applications already included support for FIDO authentication, initial sign-on has required the use of a password before FIDO can be configured — meaning that users were still vulnerable to phishing attacks that see passwords intercepted or stolen along the way.
But the new procedures will do away with the initial requirement for a password, as Sampath Srinivas, product management director for secure authentication at Google and president of the FIDO Alliance, said in an email statement sent to The Verge.
“This extended FIDO support being announced today will make it possible for websites to implement, for the first time, an end-to-end passwordless experience with phishing-resistant security,” said Srinivas. “This includes both the first sign-in to a website and repeat logins. When passkey support becomes available across the industry in 2022 and 2023, we’ll finally have the internet platform for a truly passwordless future.”
So far, Apple, Google, and Microsoft have all said that they expect the new sign-in capabilities to become available across platforms in the next year, although a more specific roadmap has not been announced. Although the plot to kill the password has been underway for years, there are signs that, this time, it may have finally succeeded.