The IT industry is taking another big step toward embracing password-less technology. Three major companies—Apple, Google, and Microsoft—are adopting a new login system that ditches passwords and relies on your smartphone or laptop to authenticate your sign-ins.
“This will simplify sign-ins across devices, websites, and applications no matter the platform — without the need for a single password,” Google said in the announcement. “These capabilities will be available over the course of the coming year.”
Google has been among the vendors pushing the tech industry to drop passwords for simpler, more secure ways to grant login access. To do so, the company has been using the smartphone as a way to authenticate a user’s login. Rather than type in a password, you can simply go to your phone and unlock access to the internet account on your PC. From there, the Android phone can sign an authentication request via Bluetooth to the PC, logging you in.
The problem is that current password-less approaches don’t always work from one hardware platform to another. Functionality can also be lost if you’re signing in from a new device.
To fix this, Apple, Google, and Microsoft plan on adopting an upgraded password-less login method called “multi-device FIDO credential,” which is designed to work across platforms.
The system comes from the FIDO Alliance, a consortium of companies that have been working on standards and protocols around dropping passwords. “Until now, users were required to enroll their FIDO credentials for each service on each new device, typically with a password for that first sign-in. With multi-device FIDO credentials, the credentials are available to users whenever they need them—even if they replace their device,” the Alliance said.
Google shared a screenshot of how this new login method will work for a consumer:
“To sign into a website on your computer, you’ll just need your phone nearby and you’ll simply be prompted to unlock it for access,” the company explained. “Once you’ve done this, you won’t need your phone again and you can sign in by just unlocking your computer. Even if you lose your phone, your passkeys will securely sync to your new phone from cloud backup, allowing you to pick up right where your old device left off.”
The other important advantage is how no credential data is transmitted from the phone to the website during the login process. “Instead, your phone will store a FIDO credential called a passkey which is used to unlock your online account,” Google said.
In other words, the website issues a digital “challenge” that your passkey can sign, which will then unlock access to the account. This approach could be more secure than some two-factor authentication systems involving one-time passcodes, which can be stolen or intercepted.
Of course, someone could steal your phone to try and break into your online accounts. But as a safeguard, the multi-device FIDO credential system can rely on your phone's fingerprint sensor, facial recognition, or a PIN code to verify that the sign-in attempt comes from the actual owner.
The other plus is how the multi-device FIDO credential can be stored and synced across several personal devices by using Bluetooth. “The user experience around FIDO credentials would be very similar to that of using a password manager that helps the user sign in, but the level of security is better than even traditional two-factor authentication—all without requiring any additional steps or devices during authentication,” the FIDO Alliance added in a paper.
However, it’ll be up to third-party websites and apps to adopt the FIDO standards. So the password-less system may not arrive for all of your online accounts. But the FIDO Alliance is hopeful Thursday’s announcement will help bolster cybersecurity for everyone.
“This new capability stands to usher in a new wave of low-friction FIDO implementations alongside the ongoing and growing utilization of security keys—giving service providers a full range of options for deploying modern, phishing-resistant authentication,” said Andrew Shikiar, executive director of the FIDO Alliance.