A handful of tech companies have been trying to kill the password for years… but this could be the year when it actually starts to happen. Apple, Google, and Microsoft have announced that they’re expanding support for passwordless sign-ins using a standard created by the FIDO Alliance and the W3C.
In a nutshell, instead of as password you’ll be able to use a multi-device FIDO credential or “passkey” to login to apps, sites and services. And instead of typing it in, you’ll just be able to pull out your phone and scan your face or fingerprint or enter a PIN.
While Apple, Google, and Microsoft already support FIDO Alliance standards to some degree, in the past you’ve had to sign into each website or app on a new device before you could go passwordless. But over the coming year, you won’t need to re-enroll every time you use a new device. Login once on one device, and you should be able to go passwordless on all of your devices.
Also new is support for using Bluetooth so that you can authenticate a login on a nearby device using your phone. For example, when trying to login to a website on your PC, the computer can check to make sure your phone is physically nearby before sending you a login prompt.
The companies involved all claim that this sort of passwordless login will be both more convenient and more secure than managing hundreds of unique passwords (and then changing some or all of them in the event of a data breach). And it’s certainly more secure than using the same password on multiple sites.
As Google explains, when the new feature arrives for Android and Chrome later this year, you’ll be able to login to apps and websites using your phone, and each passkey is “based on public key cryptography and is only shown to your online account when you unlock your phone.”
Of course, one problem with tying your ability to login to services ranging from email to online banking to a physical device like a phone is that if your mobile device is lost or damaged you could find yourself locked out of your accounts. But Google says that should only be a temporary problem, since you’ll be able to back up your passkeys to the cloud and restore them to a new device.
via press release, Google blog post, and Microsoft blog posts (1)(2)
I’m okay with 2FA, and I can get behind this passwordless idea, in concept only.
However, I absolutely will not install any company’s apps on my phone to accomplish this, and I categorically avoid 2FA that uses SMS because I don’t have mobile network coverage for large parts of my day.
If companies that I do business with want to force 2FA or passwordless security like this, then they’re going to need to give me the hardware to do it.
You don’t have free use of my phone just so you can save a bunch of money on your cybersecurity insurance, reduce your fraud losses, or gain some kind of BS industry security certificate.
Oh HELL no!!!!! What happens if your phone is lost, stolen, not physically near you, or the battery is dead? Or for that matter, if you don’t have a mobile phone? I closed all my accounts at a bank last year because they were trying to force me to use 2FA (instead they lost a customer) and this is much worse than that. I hope people see this as the giant steaming turd that it is.
The real problem is that so many people just refuse to use secure (long and random) passwords. And that’s a problem, but it is THEIR problem, not mine, and I will not be punished for their stupidity or laziness. My passwords are very long, very random, and contain letters, numbers and symbols. I do not need some half-baked scheme pushed by large companies that all have interests in selling mobile phones and/or the software that runs on them.
I would say it’s fine as long as it’s entirely optional (because I will always opt out) but I have lived long enough to see too many formerly “optional” things become mandatory once enough suckers become comfortable with them. If they say that this scheme will always be totally optional, I will flat out call them liars. They certainly hope it becomes mandatory because one way or another, it’s more money in their pockets.
Cool, they are going to force me to have a smartphone, why?. I despise these kind of practices when they are mandatory. They should make them OPTIONAL, because I don’t want to have smartphones anymore, just a regular phone to send/receive calls and sms.
Shame on you companies!
It’s really bizarre. I don’t see the point when windows 11 requires a TPM (which can store the relevant keys in a place where almost no one, including you, can mess with them), the keys are really stored on corporate servers anyway and it’s not like a PC can’t download them. Using that, or just a PIV smartcard (like a YubiKey), would be simpler, and likely much more secure.
Do they think it’s not “secure” enough if even one of the user’s devices has an unlocked bootloader, like you can’t be trusted if you think you might at some point not want to be known by an unending record of your past mistakes?
I don’t like the idea of being tied to Google services just to log into third party sites and apps.
I’m sure Google loves the idea though.
As convenient as using a yubikey or this other stuff that I don’t trust to sign in can be, I worry that they ultimately intend to kill off the use of passwords entirely.
Social engineering corporations HATE the idea that someone could escape punishment. “Forgiveness” is not in their vocabulary. They would just love it if political dissidents only had one chance to not step out of line.
And quite frankly, I think anything to do with biometrics is absurdly complicated compared to a yubikey. Honestly the only reason more people aren’t using them or other hardware tokens or smart cards is because they just can’t advertise as much as these corporations that can reap gigantic profits trying to obtain the face of every single user of one of their services.
how to restore passkeys from the cloud to new device because you have lost the old device, if you need that lost device with passkeys to connect to the cloud in order to restore passkeys to new device because you have lost old device?
secret question that is easily hacked? or how about installing an armored door one a wall than can easily be broken just near the door…
all these phone based first/second factor authentication schemes need to stop… use a damn hardware token, or stop.
alvays I talk. cell phone IS NOT ! a safe computer!
For me I feel passwords work just fine and I’m not interested in being without them. Just having two devices around all the time sounds like a hassle. But I can see it being good for some people, especially those who have trouble remembering due to physical disorders and such. The big question though, is this open enough to work on my Linux phone? Or is it just another app/thing that will perpetuate the current smartphone OS duopoly?
Mainstream idiots are driving smart people to their side. Sadly, it’s a matter of quantity not quality.