On May 5th – World Password Day – we may have taken a step closer to passwords being a thing of the past.
In a joint effort, technology giants appleGoogle and Microsoft announced Thursday morning that they are committed to building support for wordless login across all mobile, desktop, and browser platforms they control in the coming year. Effectively, that means that password authentication will come to all major device platforms in the not too distant future: Android and iOS mobile operating systems; Chrome, Edge and Safari browsers; and the Windows and macOS desktop environments.
“Just as we design our products to be intuitive and capable, we also design them to be private and secure,” said Kurt Knight, senior director of platform product marketing at Apple. “Working with industry to establish new, more secure login methods that offer better protection and eliminate the vulnerabilities of passwords is central to our commitment to building products that offer maximum security and a transparent user experience – all with the goal of keeping users secure. ‘ . ”
A password-free login process will allow users to choose their phones as the primary authentication device for applications, websites, and other digital services, as detailed in Google blog post published Thursday. Unlocking your phone with whatever is set as a default action – entering a PIN, drawing a pattern or using a fingerprint unlock – will then be enough to log in to web services without ever having to enter a password, enabled by using a unique crypto token called password and the website.
By making logins dependent on a physical device, the idea is that users will simultaneously benefit from simplicity and security. Without a password, there will be no obligation to remember login details through services or compromise security by reusing the same password in multiple locations. Equally, a password-free system is much more difficult for hackers to compromise login details remotely because a login requires access to a physical device; and, theoretically, phishing attacks where users are directed to a fake website for password capture will be much harder to mount.
Vasu Jakkal, Microsoft’s vice president of security, security, identity and privacy, emphasized the degree of compatibility between platforms. “With passwords on your mobile phone, you can log in to an app or service on almost any device, regardless of the platform or browser the device is running on,” Jakkal said in an email statement. “For example, users can sign in with a Google Chrome browser running Microsoft Windows — using a password on an Apple device.”
The cross-platform functionality is enabled by a a standard called FAITH, which uses the principles of public key cryptography to enable password-free authentication and multi-factor authentication in a variety of contexts. A user’s phone can store a unique password that conforms to TRUST and will share it with a website for authentication only when the phone is unlocked. According to the Google post, passwords can also be easily synced to a new cloud backup device in case a phone is lost.
Although many popular applications have already included support for FIDO authentication, an initial login required the use of a password before FIDO can be configured – meaning users were still vulnerable to phishing attacks that see passwords caught or stolen along the way.
But the new procedures will remove the initial password requirement, Sampath Srinivas, director of product management for secure authentication at Google and president of the Trust Alliance, said in an email statement sent to. The Edge.
“This extended TRUST support announced today will enable websites to carry out, for the first time, an end-to-end password-free experience with phishing-resistant security,” Srinivas said. “This includes both the first login to the website and repeated logins. When password support becomes available across the industry in 2022 and 2023, we will finally have the online platform for a truly passwordless future.”
So far, Apple, Google and Microsoft have all said they expect the new login capabilities to be available across platforms in the coming year, although a more specific roadmap has not been announced. Although the plot to kill the password has been working for years, there are signs that this time it may have succeeded.