Google, Apple, Microsoft Commit to Eliminating Passwords
Google, Apple and Microsoft today committed to building support for passwordless sign-in capabilities based on authentication technologies advanced under the auspices of the FIDO Alliance.
Sam Srinivas, director of product management for authentication security at Google and president of the FIDO Alliance, said all three providers of platforms will implement the framework to simplify application of the authentication framework across Android, iOS, macOS and Windows operating systems as well as Chrome, Safari and Edge browsers.
The announcement, made on World Password Day, is part of an ongoing effort to eliminate the need to rely on passwords. Credentials are routinely stolen by cybercriminals who use a wide range of social engineering and brute force techniques, said Srinivas. Today, there are millions of username and password combinations listed for sale on the dark web, enabling cybercriminals to automate the process of posing as someone else to access a website or application.
The FIDO Alliance was initially formed in 2013 and is an industry consortium that aims to advance an alternative to passwords based on a Universal Second Factor (FIDO U2F), FIDO Universal Authentication Framework (FIDO UAF) and FIDO2, a set of specifications. Going forward, devices and browsers will store a FIDO credential, called a passkey, that employs cryptography to access an account. When a user signs into a website, a prompt will also appear on a nearby mobile device. If a device is lost, passkeys will securely sync to a user’s new phone via a cloud backup.
Historically, password management has been—and remains—unwieldy. End users either opt to rely on simple words or phrases that are easily hacked or continually make requests to change complex passwords they can’t remember. Password managers have made managing this process easier, but very few end users change their passwords in keeping with cybersecurity best practices. As a result, the bulk of support requests that IT teams deal with every day are issues involving passwords. Most of that time could be better spent on other tasks.
There is, of course, no such thing as perfect security. The goal is to make devices and browsers much more resilient to phishing attacks, said Srinivas. It’s simply too easy for cybercriminals to compromise passwords that, even when changed, are generally just slight variations of others they previously used. Cybercriminals that specialize in social engineering techniques are very adept at guessing username and password combinations using personal details they glean from across the web.
It may be some time before passwords are entirely eliminated. In one form or another, passwords have been used by humanity since the dawn of civilization. However, there may come a day when end users show a marked preference for online services that don’t require them to remember a password. In the meantime, cybersecurity professionals can take some solace in the fact that progress is being made toward eliminating passwords.
