Three of the largest browser developers, Google, Apple, and Microsoft, have joined forces to introduce a groundbreaking mechanism called FIDO (Fast Identity Online) and Passkey. This collaboration aims to bring an end to the era of passwords for users across all operating systems and various services. What makes this collaboration particularly unprecedented is that Apple, known for its strict policy against endorsing external technologies, is actively participating in its development.
Why is this news exciting?
If you’ve been lucky or extremely diligent and have never had your user credentials stolen, the following staggering statistics may catch your attention:
- 2020: The year with the highest recorded data breaches worldwide was due to passwords.
- 82%: The percentage of employees admitting to using the same password for multiple accounts.
- 60%: The percentage of reused passwords involved in several data breaches in 2020.
- Three-quarters: The number of employees using the same password for both work and personal accounts.
- 40%: The percentage of organizations still noting down passwords on paper.
Passwords are a vulnerable aspect of everyone’s data, and in many instances, stealing them is as simple as a brute force attack, even for a novice hacker. Users often prefer easily memorable phrases for passwords, making it the responsibility of technology companies and infrastructures to enhance online security.
Various methods have been introduced to protect passwords, such as multi-factor authentication or password management applications. However, as long as passwords exist, hackers will find new ways to steal them. A strong password, one might argue, is a password that doesn’t exist at all and isn’t purposeless. The headache of using passwords persists, including phishing risks and the theft of user credentials, the reuse of passwords, and the challenge of remembering multiple codes.
The proposals to eliminate passwords in the past had numerous drawbacks. The primary weakness was the lack of a recovery mechanism for cases when an individual loses access to their phone, physical tokens, or connected devices.
Another problem was that most solutions could not completely replace passwords. Even options like facial recognition and fingerprint detection were still reliant on passwords. Moreover, none of these methods provided a solution for using a secure token across all operating systems and various services.
| Related articles |
| Hell, CAPTCHA! Why do CAPTCHA tests get harder every day? |
Why is this time different?
This time is different because Apple, Google, and Microsoft, the creators of the most widely used browsers and the most popular smartphone brands, have finally agreed upon a specific solution. This solution, called “Multi-Device Authentication” or colloquially, “Passkey,” was developed by the FIDO Alliance, an industry group dedicated to developing passwordless authentication mechanisms.
As the term “Multi-Device” implies, this mechanism is implementable on all iOS, Android, and Windows-based devices. In its initial implementation, it will function across all services belonging to Apple, Google, and Microsoft.
Strong password is one that simply does not exist.
The Passkey mechanism, introduced in an article by Fido Alliance this March, is essentially an update to current authentication protocols. Its usage is not only highly user-friendly but also significantly more cost-effective for large services such as GitHub and Facebook compared to previous proposed methods. This is because its infrastructure already exists in the browsers and phones we currently use.
Microsoft describes Passkey as a more secure, faster, and easier alternative to passwords that is completely immune to phishing attacks. Google also considers this mechanism a historic and significant step towards a passwordless world. Fido Alliance suggests that this technology could, for the first time, become the dominant method of authentication on the internet, replacing passwords.
While current multi-factor authentication (MFA) methods like time-based one-time passwords have made significant progress in the past five years, they still face challenges due to the diversity of authentication mechanisms for different platforms and services. Passkey, with its ability to be implemented across all operating systems and services, offers an easy and cost-effective solution, making it the best option for achieving the dream of a passwordless world.
What is Passkey Mechanism?
Before delving into the Passkey mechanism, let’s briefly discuss current authentication methods as Passkey is essentially an improved version of these methods. Cybersecurity experts categorize authentication factors into three groups: something you know (e.g., a password), something you have (e.g., a mobile phone), and something you are (e.g., fingerprint or other biometric methods).
You may be familiar with Two-factor authentication on social networks like Instagram, which combines something you know (password) with something you have (mobile phone). Passkey replaces the “something you know” factor with “something you are,” while “something you have” remains a part of the mechanism. Instead of entering a password, users employ biometric methods such as fingerprint or facial recognition. This method is used as a second factor alongside the user’s device for authentication.
The Anti-Phishing Secret of Passkey: Bluetooth Usage
To prevent hackers from accessing user accounts, the Passkey system sends authentication requests via Bluetooth instead of using the internet. The anti-phishing nature of this mechanism lies in its use of Bluetooth. In a passwordless world, it is assumed that all internet users own at least two devices, such as a phone and a computer, since their phone is intended to serve as their identity key.
When unlocking the phone, users simultaneously register their biometric factor (fingerprint or facial scan) as a security token for accessing their account on that device. Now, whenever users want to log into their Instagram account, whether through a computer or an iPhone or Android device, they simply click on the Passkey login button without entering a password or even a username. A Bluetooth notification is then sent to their phone. They only need to unlock their phone with their biometric factor to instantly access their account.
The use of Bluetooth in this method has two advantages: it synchronizes Passkey across different operating systems and eliminates the risk of hackers entering user accounts since authentication occurs locally. Additionally, since these tokens are stored in the cloud, there is no need to worry about losing or changing devices.
A Passwordless World in Our Near Future
For ten years, major technology companies have been discussing the end of the era of passwords, and it makes sense for us to continue to view this narrative with skepticism until all the pieces fall into place, and Passkey support becomes widespread on most platforms and services. Google itself acknowledges that implementing this technology across all devices and supporting it on all websites and applications will be a time-consuming process.
Nevertheless, with the backing of Google, Microsoft, and Apple for this project, we are now very close to realizing this vision. According to Andrew Shikiar, executive director of the Fido Alliance, the implementation of this system will commence from late 2022 or early 2023, with each of these three companies having its own specific timeline for Passkey support in the coming year.
Complete elimination of passwords is a highly challenging process, as passwords have been the sole method of user internet authentication for decades, and many individuals are not willing to part with them. However, the support of technology giants for this method is a significant step forward. With luck, we will never again have to type meaningless strings of letters and numbers like mCdC4css0!zd570 to access our accounts.
Visit appchery.com to read more articles
