Is not having a password the new password?
In a somewhat ironic celebration of World Password Day, Apple, Google, and Microsoft announced plans to support a common passwordless sign-in standard created by the Fast IDentity Online (FIDO) Alliance and the World Wide Web Consortium.
Going passwordless will allow organizations to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms. FIDO says:
"The expanded standards-based capabilities will give websites and apps the ability to offer an end-to-end passwordless option. Users will sign in through the same action that they take multiple times each day to unlock their devices, such as a simple verification of their fingerprint or face, or a device PIN. This new approach protects against phishing and sign-in will be radically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes sent over SMS."
But, is there really a need to go passwordless? Is multi-factor authentication (MFA) not enough?
New passwordless standards
It is well known in the cybersecurity industry that password-only authentication can be a huge issue. For end-users, managing so many passwords with so many different sites can be challenging, often resulting in the reuse of the same password across multiple accounts (for those less cybersecurity savvy).
FIDO notes that while password managers and legacy forms of MFA offer incremental improvements, there has been industry-wide collaboration to create sign-in technology that is more convenient and more secure:
"Hundreds of technology companies and service providers from around the world worked within the FIDO Alliance and W3C to create the passwordless sign-in standards that are already supported in billions of devices and all modern web browsers. Apple, Google, and Microsoft have led development of this expanded set of capabilities and are now building support into their respective platforms.
These companies' platforms already support FIDO Alliance standards to enable passwordless sign-in on billions of industry-leading devices, but previous implementations require users to sign in to each website or app with each device before they can use passwordless functionality."
The announcement brings two new capabilities:
- "Allow users to automatically access their FIDO sign-in credentials (referred to by some as a "passkey") on many of their devices, even new ones, without having to re-enroll every account."
- "Enable users to use FIDO authentication on their mobile device to sign in to an app or website on a nearby device, regardless of the OS platform or browser they are running."
While it would be awesome to have one "passkey" as described above, it appears we are still years away from this becoming a common thing. Craig Lurey, CTO and Co-Founder of Keeper Security, discusses:
"The slow adoption of multi-factor authentication by businesses and consumers—despite MFA being a practical and highly effective way to protect end users from breaches due to credential theft—is a good indicator of the possible adoption timeframe for passwordless tech.
First, vendors have to build the technology into their websites and applications, and then, end users have to be educated about the technology and come to trust and adopt it. Note that this includes users becoming accustomed to relying on their mobile devices.
Between both organizational and consumer adoption, it may take many years until passwordless tech is widespread. Bottom line: We'll still be using passwords for at least another decade. Single-factor, passwordless login has too many functional, logistical and security issues to become the norm overnight.
For more information, see the announcement from FIDO.