The idea of living in a world where we no longer have to worry about passwords sounds very attractive. Y Manzana, Google Y microsoft have taken on the challenge of making it possible in the not too distant future. The three corporations they have committed a extend support to the FIDO standardwhich will allow users to access all its services from any platform without the need to use a password to login.
Without a doubt, this will mean a very important evolution in terms of authentication. Of course, it stands to reason that many are still reluctant to ditch the use of passwords altogether; however, the promoters of this initiative assure that the methodology is safer than other multi-factor verification systems, and its use is much simpler.
In simple terms, what the FIDO standard allows is to use a general physical method of authentication. Thus, if we take a smartphone as an example, users do not need more than their preferred unlocking method —fingerprint, PIN, pattern, FaceID— to access the services or platforms they want, without having to remember the passwords of each one.
The system works because the mobile stores a password o Access key based on public key cryptography to access the different accounts. That FIDO credential for login is only displayed when the user unlocks the phone with your preferred modality, as indicated above.
Google, Apple and Microsoft raise their bet on the FIDO standard
It is worth noting that both Google and Apple and Microsoft already support FIDO Alliance standards in some of their products. However, users must manually log in to each service (app or web) or each device before activating keyless access. What the new commitment proposes is to go a step further with the addition of two specific functions that we will detail below.
The first is to allow users to use their password on different devices without the need to manually activate the system for each account or service. This is interesting because it even covers the configuration of a new equipment, such as when we change our smartphone for a newer model.
The second, that the FIDO credential allows approving the login on another device from the mobile, even with a different browser or OS. Thus, for example, if we want to access our bank account from Safari on a Mac, we can approve the login from an Android mobile through the fingerprint reader.
According to the FIDO Alliance, these new features will begin to roll out across Microsoft, Apple, and Google platforms. from 2023. In fact, those from Mountain View have already indicated that they will bring the login without passwords to both Android, Chrome and ChromeOS.
The FIDO Alliance ensures that the use of your credential or passkey is the great answer to the problem of managing multiple passwords. Its promoters indicate that 80% of data leaks occur due to the misuse of passwords, and that this is due in large part to the enormous number of online services that any individual uses today.
It is estimated that a user today can have more than 90 online accounts and this leads to another serious drawback: repeating passwords. Therefore, they consider that using a physical medium – a smartphone, in this case – as a mandatory authentication route is a crucial method to avoid hacks and identity theft.
Fewer passwords, more security
Logically, the idea of a future without passwords does not come without questions. What do we do if we lose the mobile that we use to authenticate ourselves in all our services? According to Google, that won’t be a problem. “Even if you lose your phone, our access keys will be securely synced to the new device from the cloud backup, allowing you to pick up right where you left off on the old device,” indicated on their blog.
In any case, it is not very clear how users will authenticate on a new device to access the password backed up. However, from the FIDO Alliance they have published a “playbook” of best practices so as not to lose access to accounts in case of losing the main means of verification.
In this sense, it is recommended to encourage users to register multiple authenticators to their accounts. That way, if they lose one device, they can use another to maintain access. The possibility of implementing USB keys to store the FIDO credentials is also indicated; as well as that the services themselves have account recovery methods to verify the identity of the users.
We’ll see how this story progresses. The truth is that the big technology companies have taken the initiative to achieve the longed-for future without passwords. It is logical to think that the change will not happen overnight and that, at the same time, it will require an important learning process for the general public.