What if you never had to enter a password again? Imagine. An international day of celebration. Children dance in the streets. Soldiers laying down their weapons and clenching tears in their eyes on the battlefield.
Or, at least, a slight improvement in your daily life. That’s what Apple, Google and Microsoft are offering, with a fairly rare triple announcement that the three tech giants are all adopting the Fido standard and ushering in a passwordless future. The standard replaces usernames and passwords with ‘access keys’, login credentials stored directly on your device and uploaded to the website only when paired with biometric authentication like a selfie or a fingerprint. From Apple’s announcement:
Users will log in with the same action they take multiple times a day to unlock their devices, such as a simple fingerprint or face verification, or device PIN. This new approach protects against phishing and the connection will be radically more secure compared to passwords and legacy multi-factor technologies such as one-time passcodes sent by SMS.
The three companies will roll out Fido support “over the coming year”. The Fido2 standard is actually already public and some companies already support it, mainly for internal authentication. But the standard has long lacked the final step needed for ubiquity: making it easy to get started.
That’s what this latest announcement is all about. With the help of the owners of the platform, users will be able to synchronize their Fido “access keys”, without having to reconnect to each new device. It goes from a service that is a nice addition to passwords to a service that can be completely used as a replacement for them.
Ease of use is only part of the reason for the change. Passkeys, secured by biometric identification on your phone, are faster than entering passwords manually, but if you use a password manager (and you should use a password manager), you’ll be able to enter passwords and log in to most websites with a click. a button (fingerprint detection) anyway.
But the main reason is that passwords suck. They suck because of the way they’re used in practice: people create short, easy-to-guess passwords and then reuse them on the Internet. For many users, the larger a website, the more likely the password will be short and easy to guess, because even if you can tolerate entering a long, secure password once or twice, you won’t bother doing it multiple times. times a day.
And the ways we’ve tried to fix passwords… also suck. Requirements to add complexity to passwords, in an attempt to make it harder to brute force them, are notoriously infuriating and often fail to guarantee the actual result they seek: if “P@ssword1” is a valid password but “doubloon prorogue tunnel” (to offer a randomly generated passphrase by my password manager earlier) is not, you just lowered someone’s account security a.
Two-factor authentication, which asks you to link a second “factor” to your account – like a phone number that’s texted, or another device you use to approve the login – has its own issues. The most popular forms of two-factor authentication all involve the use of one-time passcodes, either texted to you or generated by an app on your phone or computer. And these one-time passcodes are just as open to phishing as a conventional password, but with a shorter expiration date if successfully stolen.
And so, if the Fido thing takes off, the world should get a little safer, a little less frustrating, and a little smoother to navigate.
What will it look like for you? Probably not so different in practice. One day, you’re going to create an account on a website and just… you won’t be asked for a password. You might not even notice this happening. But rest assured: the children will still be dancing in the streets.
If you want to read the full version of the newsletter, sign up to receive TechScape in your inbox every Wednesday.