Google, Microsoft and Apple have chosen World Password Day (May 5, 2022) to announce their agreement to put an end to passwords starting next year. Passwords will be replaced by a new security system called FIDO, based on authentication through mobile devices.
Ah, that place where you have all your passwords written down... Soon you will be able to get rid of it. Maybe you are one of those who use the same password for everything... a kind of religious mantra that has a sacred place in your memory along with your name, your birth date and your ID.
Whatever your case may be, you will soon be able to set that corner of your brain free and fill it with something way more useful.
Google, Microsoft and Apple have just announced their commitment to end passwords as the method for authentication and login. This initiative aims to make the web a safer place for users and to put an end to phishing and other online identity thefts.
As explained by Google in an official statement, passwords are one of the main threats to Internet security: "they’re easy to steal, they’re hard to remember, and managing them is tedious."
For quite some time now, technology companies have been trying to fight phishing and other forms of digital identity hacks based on stealing passwords. Online registrations increasingly ask for more complex passwords that, since they are difficult to remember, we end up using on multiple devices or websites. If you are one of those who use the same password for everything, you have probably received a warning from Google informing you that your password is in danger because you are using it on several sites and you should probably change it.
According to Google, in 2020 searches for <<how strong is my password>> increased by 300%. The company also notes that "66% of Americans admit to using the same password across multiple sites, which makes all those accounts vulnerable if any one falls."
Google has tried to solve this problem with 2 Step Verification (2SV), which gives the user a second verification method in case their password has been phished by a third party.
Now this approach is gaining momentum with Apple and Microsoft joining Google's investment in mobile authentication as a definitive replacement for passwords, also called FIDO.
The project takes us a step further in the efforts of tech companies to strengthen data security. Last year, Google already caused a stir when they announced the end of third-party cookies in Google Chrome, which, among other things, meant the obsolescence of many companies' data collection strategies.
- How to survive in a cookie-free world? Download our complete guide with everything you need to know about the end of third-party cookies and a roadmap to survive without them.
Fast Identity Online (FIDO): What is it and how does it work?
With Google, Apple and Microsoft's agreement on standardizing it, the new authentication method will work on both Android and iOS, Windows and macOS operating systems and Chrome, Safari and Edge.
To log in to any website or app, you will only have to unlock your phone
FIDO is based on multi-device credentials. Soon, we will login to any device, app or website through our phones. Mobile device's unlock system —fingerprint or facial recognition— will be compatible with all websites and devices.
From now on, to log in to any website or app you will only have to unlock your phone. No need for passwords.
According to Microsoft's official statement, written by Vasu Jakkal, vice president of security, compliance, identity and privacy at Microsoft, "these multi-device FIDO credentials offer users a platform-native way to safely and quickly sign in to any of their devices without a password. Virtually unable to be phished and available across all your devices, a passkey lets you sign in simply by authenticating with your face, fingerprint, or device PIN."
The strength of FIDO is that, because the authentication process is done through a physical device, it prevents frauds such as phishing that redirect users to a fake website to obtain their password.
In addition to security, Google, Apple and Microsoft all agree that the end of passwords also improves user experience, preventing users from having to remember several complex passwords and making it easier to log in.
This new public cryptography-based approach calls for full compatibility between devices and web platforms, putting cloud integration in the spotlight and forcing Google, Microsoft and Apple to make their systems more compatible. The passkey you use to unlock your phone will be synchronized with other devices via a cloud backup: "For example, users can sign in on a Google Chrome browser that’s running on Microsoft Windows, using a passkey on an Apple device" says Vasu Jakkal.
What if we lose our phone?
The million-dollar question. Google, Apple and Microsoft have decided FIDO is the answer because they are sure it is more secure than passwords. However, the new standard is entirely based on smartphones. So, what happens if we lose our mobile phone?
Google has stated that this will not be a problem, as FIDO's passkey will be synchronized with our Google account. Therefore, if we lose our mobile, our credentials will be automatically synchronized on the new mobile through our Google account.
Losing our phone will not be a problem. However, this new approach may be a problem for the 16.28% of the world's population that does not have a smartphone, according to 2022 data.
The end of passwords: When will it start?
Google, Apple and Microsoft have chosen May 5, 2022, World Password Day, to make public they are getting rid of passwords in favour of passkeys.
The new system already has support in iOS' second beta version 15.5 and in Google Play version 22.15. 14 (still in development).
Right now we only know that passkeys will be part of all Google, Apple and Microsoft platforms in 2023, after a transition period in which passwords will be progressively replaced.
Google has already announced their support to web and app developers so that they can activate the new system in their products and services.
Let's end it with words by Kurt Knight, Apple's Senior Director of Platform Product Marketing: "Working with the industry to establish new, more secure sign-in methods that offer better protection and eliminate the vulnerabilities of passwords is central to our commitment to building products that offer maximum security and a transparent user experience — all with the goal of keeping users’ personal information safe.”