Analysis Microsoft, Apple and Google – all longtime proponents of doing away with passwords for authentication purposes – are throwing their support behind standards developed by the FIDO Alliance and the World Wide Web Consortium (W3C) that could eliminate passphrases completely.
Sometime this year or early in 2023, the three US giants are set to implement these standards so that folks can log into online services and apps using familiar password-less authentication methods, such as the device PIN or fingerprint or face scans they use to unlock their devices, the FIDO – short for Fast Identity Online – Alliance announced Thursday.
We’re talking, supposedly, consistent and easy to manage cross-platform authentication for software and websites that doesn’t involve recalling passwords.
Microsoft, Apple and Google are among hundreds of tech companies and service providers that have worked with FIDO and W3C to develop these passphrase-free sign-in standards. The support from such high-profile tech companies and the promise to introduce these newly developed capabilities hopefully will accelerate their adoption, according to Andrew Shikiar, executive director and CMO of the FIDO Alliance.
“This new capability stands to usher in a new wave of low-friction FIDO implementations alongside the ongoing and growing utilization of security keys, giving service providers a full range of options for deploying modern, phishing-resistant authentication,” Shikiar said.
Passwords have been an ongoing security concern, particularly in the wake of the COVID-19 pandemic and the resulting shift to a constellation of remote services as well as hybrid work schedules. Microsoft believes there are 579 attacks involving passwords every second, or about 18 billion a year, and many of them are successful, mainly because people have a tendency to pick poor passwords or reuse them across multiple accounts.
In a report in early March, researchers with cybersecurity vendor SpyCloud found that users were continuing to use the same passwords for multiple accounts as well as weak or common passwords. SpyCloud’s report found that 64 percent of users repeat passwords for more than one accounts and 70 percent of passwords that have been compromised in the past are still in use.
The bones of FIDO
FIDO has been pushing for the adoption of password-less methods for ten years through such technologies as USB hardware keys and – with W3C – the WebAuthn security specification. In March the two groups unveiled another version of WebAuthn.
And so now we’re told the people behind Office and Azure, iPhones and iCloud, and Chrome and Gmail will implement features newly standardized by FIDO and W3C that should make using non-password sign-in methods easier, including enabling users to automatically access their FIDO sign-in credentials – also known as “passkeys” – on their devices without having to re-enroll every account. Also, individuals should be able to use FIDO authentication on their mobile devices to sign into a website or application on a nearby computer using whatever operating system or browser they’re running.
“The complete shift to a passwordless world will begin with consumers making it a natural part of their lives,” Alex Simons, corporate vice president for identity program management at Microsoft, said about the latest FIDO and W3C-backed capabilities. “Any viable solution must be safer, easier, and faster than the passwords and legacy multi-factor authentication methods used today.”
Password use isn’t getting much better, Craig Lurey, co-founder and CTO of cybersecurity firm Keeper Security, told The Register The reliance of businesses and consumers on passwords is growing faster, due in large part to the shift to remote work and use of cloud services, he said. In addition, Lurey noted that for all its work, FIDO “does not address the need to encrypt the user data in a zero-knowledge and zero-trust environment.”
Microsoft has been particularly vocal about doing away with passwords, and in September 2021 said users are able to remove passwords from their Microsoft accounts by instead using the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to their mobile phone or email.
Mark Risher, senior director of product management at Google, said the vendors’ work with FIDO and W3C “is a testament to the collaborative work being done across the industry to increase protection and eliminate outdated password-based authentication.”
Playing the long game
The key for growing adoption of passwordless techniques starts with the device, where Microsoft, Apple and Google are dominant and have already implemented authentication mechanisms, Garret Grajeck, CEO of cybersecurity company YouAttest, told The Register.
“The onus then becomes on the security of these factors on the big three and then the security and implementation of the SSO from these devices to the relying parties – other web, mobile and on-premises applications,” Grajeck said. “Given the problems we have with supply chain hacks and other hacks, it is not unforeseeable that more hacks will be occurring in this space.”
Single-factor, passwordless login has too many functional, logistical, and security issues to become the norm overnight
Keeper Security’s Lurey said it will take a number of steps – from vendors building technologies like multi-factor authentication into their websites and applications and users not only being educated about the technology and trusting it but also relying on their mobile devices – before adoption will accelerate.
“We’ll still be using passwords for at least another decade,” he said. “Single-factor, passwordless login has too many functional, logistical, and security issues to become the norm overnight.”
John Gunn, CEO of authentication vendor Token, told The Register that “World Password Day is akin to National Running with Scissors Day. Both activities are inherently unsafe, with the latter being significantly safer based on statistical analysis.
“The security of passwords, or the lack of, has advanced only marginally over the 61 years since they were first implemented. It’s time for us to collectively … commit to eliminating passwords entirely.” ®