The Future Of Passwords Looks Completely Different
Passwords have been out of favor for a while — they aren't the best protection against internet hackers and phishers, and they're also tough to manage. Coming up with a secure password is never straightforward; most password-protected accounts recommend that users create a complex sequence of characters so that their passwords would be harder to guess or hack. Since it's impossible to remember these complicated passwords, most users resort to an easy-to-remember alternative that they use for all of their online accounts. Others go the safer but slightly more tedious route of using password managers to secure and manage all of their complex passwords.
But neither method is completely secure: password managers can be hacked (and some have been) if your device is infected with malware, and reused passwords can be easily compromised. Another possible solution is two-factor authentication, but even that can be hijacked, according to CSO. Rather than continue to develop new ways to manage passwords, Big Tech has decided that it is time to phase them out altogether. Microsoft, along with Apple and Google, has announced intentions to increase support for the FIDO Alliance and the World Wide Web Consortium's passwordless sign-in standard. What are these companies proposing as an alternative, you ask? Passkeys. Let's get into all the details.
How passkeys will work
Passkeys, or multi-device FIDO credentials, will work as a single sign-in option across different devices and platforms. In application, that means you'd create a one-time-only passkey (which could be a PIN or biometric ID), and you'd get a push request to authenticate your identity with that passkey any time you want to log in to an app or website. You'll also be able to authenticate a new device using another nearby device that already has the FIDO credentials. Essentially, your device becomes a hardware token that you can use to authenticate access to another.
The FIDO alliance guarantees the security of this new authentication system in a white paper it released to share its modus operandi. First off, it stated that the new FIDO scheme will work over Bluetooth instead of over the internet as some push 2FA systems do. According to the white paper, this is a plus because Bluetooth requires physical proximity, which means that the FIDO credentials are a phishing-resistant way to leverage the user's phone during authentication.
If the idea of using Bluetooth as a security tool raises your eyebrows, you can drop them. The FIDO alliance points out that Bluetooth is only used to "verify physical proximity," and that the actual sign-in procedure "does not depend on Bluetooth security properties." Of course, this implies devices that would work with passkeys must have Bluetooth compatibility, which is standard on most smartphones and laptops but may be difficult to come by on older desktop PCs. Also, in case you're wondering, passkeys aren't the same as two-factor authentication in that they function as a replacement for passwords rather than an additional factor.
How does a passwordless future sound to you?
The new FIDO standard will become available across Apple, Google, and Microsoft platforms over the course of the coming year. The Alliance hasn't provided a definite ETA, so we'll keep our eyes peeled. Apple already has a head start on the whole passkey trend since it already has a system up and running in iOS 15 and macOS Monterey, but it's not compatible with other platforms yet. Google also offers passkey support that has already been spotted in Play Services on Android. What's left is the interoperability across the different platforms, which means users will be able to use passkeys on a Microsoft device to authenticate a sign-in on an Apple device, for example.
Ditching passwords does not sound like a bad idea at all. They won't be missed. But it sounds like the FIDO Alliance still has to work out some kinks to make passwordless sign-ins secure and functional. For example, what happens if you lose your device? Per the FIDO Alliance white paper, you can still recover your accounts by signing in to your main platform account. But with what? A password? Of course, it's not an issue if you have your credentials set up on more than one device, but what happens when those devices aren't nearby? Our fingers are crossed to see how the new FIDO credentials will work around these loopholes. Until then, passwords remain the devil we know.