The idea of living in a world where you no longer have to worry Passwords looks very attractive. Yes Manzana, Google Yes microsoft have taken up the challenge of making it possible in the not too distant future. The three companies are committed to extend support to the FIDO standardwhich will allow users to access all of its services from any platform without the need to use a the password open a session.
This will undoubtedly mean a very important evolution in terms of authentication. Of course, it stands to reason that many are still hesitant to abandon the use of passwords altogether; however, the promoters of this initiative assure that the methodology is more secure than other multi-factor verification systems and that its use is much simpler.
Simply put, what the FIDO standard allows is to use a general physical method of authentication. So, if we take a smartphone as an example, users don’t need more than their preferred unlocking method —fingerprint, PIN, pattern, FaceID— to access the services or platforms they want, without having to remember everyone’s passwords.
The system works because the mobile stores a the password o Access key based on public key cryptography to access different accounts. This FIDO ID for login is only displayed when the user unlocks the phone with your preferred modality, as indicated above.
Google, Apple and Microsoft are stepping up their bets on the FIDO standard
It should be noted that Google, Apple and Microsoft already support FIDO Alliance standards in some of their products. However, users must manually log in to each service (app or web) or device before enabling keyless access. What the new commitment proposes is to go further with the addition of two specific functions that we will detail below.
The first is to allow users to use their the password on different devices without the need to manually activate the system for each account or service. This is interesting because it even covers setting up new equipment, such as when changing smartphones to a newer model.
The second, that the FIDO identifier allows to approve the connection on another device from the mobile, even with a different browser or operating system. So, for example, if we want to access our bank account from Safari on a Mac, we can approve the login from an Android mobile through the fingerprint reader.
According to the FIDO Alliance, these new features will begin rolling out across Microsoft, Apple, and Google platforms. from 2023. In fact, those in Mountain View have already indicated that they will bring passwordless login to Android, Chrome, and ChromeOS.
The FIDO Alliance guarantees that using your username or password is the best answer to the problem of managing multiple passwords. Its proponents say that 80% of data leaks are due to misuse of passwords, and that’s largely due to the huge number of online services anyone uses today.
It is estimated that a user today can have more than 90 online accounts, which leads to another serious disadvantage: repetition of passwords. Therefore, they consider using a physical medium – a smartphone, in this case – as a mandatory authentication route to be a crucial method to prevent hacks and identity theft.
Fewer passwords, more security
Logically, the idea of a future without passwords is not without questions. What do we do if we lose the mobile we use to authenticate in all our services? According to Google, this will not be a problem. “Even if you lose your phone, our passkeys will be securely synced to the new device from cloud backup, allowing you to pick up where you left off on the old device.” they write in their blog.
Either way, it’s unclear how users will authenticate on a new device to access the the password saved. However, from the FIDO Alliance, they have published a “handbook” of best practices so as not to lose access to accounts in the event of loss of the primary means of verification.
In this sense, it is recommended to encourage users to register multiple authenticators on their accounts. That way, if they lose one device, they can use another to retain access. The possibility of setting up USB keys to store FIDO credentials is also indicated; as well as the fact that the services themselves have account recovery methods to verify the identity of users.
We’ll see how this story progresses. The truth is that big tech companies took the initiative to reach the long-awaited future without passwords. It is logical to think that the change will not happen overnight and that at the same time it will require a significant learning process for the general public.