Analysis Microsoft, Apple, and Google -- all long-standing proponents of removing passwords for authentication -- are backing standards developed by the FIDO Alliance and the World Wide Web Consortium (W3C) that could eliminate passphrases entirely.Sometime this year or early 2023, the three U.S. giants will implement these standards so that people can log into online services and apps using familiar passwordless authentication methods, such as the device PIN they use to unlock or a fingerprint or face scan of them The device, FIDO -- short for Fast Identity Online -- the alliance announced Thursday.
Hopefully this will bring consistent and easy-to-manage cross-platform authentication to software and websites that don't involve recalling passwords.
Hundreds of tech companies and service providers, including Microsoft, Apple, and Google, worked with FIDO and the W3C to develop these password-free login standards. Andrew Shikiar, executive director and chief marketing officer of the FIDO Alliance, said the support of these well-known tech companies and the commitment to introduce these new developments is expected to accelerate their adoption.
"As security keys continue to be used and grow, this new capability will usher in a new wave of low-friction FIDO implementations, giving service providers a full range of options for deploying modern, phishing-resistant authentication," said Shikiar. "
Passwords have been an ongoing security concern, especially in the wake of the COVID-19 pandemic and the ensuing shift to remote services and hybrid work schedules. Microsoft believes there are 579 attacks involving passwords per second, or about 18 billion per year, many of which are successful, largely because people tend to choose bad passwords or reuse them across multiple accounts.
In a report in early March, researchers at cybersecurity vendor SpyCloud found that users continued to use the same passwords and weak or plain passwords for multiple accounts. The SpyCloud report found that 64% of users reuse passwords for multiple accounts, and 70% of passwords that have been compromised in the past are still in use.
Backbone of FIDO
For a decade, FIDO has been pushing for a passwordless approach, through technologies like USB hardware keys and - with the W3C - the WebAuthn security specification. In March, the two groups launched another version of WebAuthn.
So now we're told that the people behind Office and Azure, iPhone and iCloud, and Chrome and Gmail will implement FIDO and W3C's newly standardized features that should make it easier to use non-password login methods, regardless of operating system and platform, including enabling Users can automatically access their FIDO login credentials (also known as "passwords") on their devices without having to re-register for each account. Additionally, people should be able to use FIDO authentication on their mobile devices to log into websites or applications on nearby computers using whatever operating system or browser they are running.
"The radical shift to a passwordless world will begin with consumers making it a natural part of their lives," said Alex Simmons, Microsoft's corporate vice president for identity program management, about the latest FIDO and W3C-supported features. "Any viable solution has to be more secure, easier and faster than the passwords and traditional multi-factor authentication methods used today,"
Craig Lurey, co-founder and CTO of cybersecurity firm Keeper Security, told The Register, password usage isn't getting any better for cloud services, he said. Additionally, Lurey noted that, in all of its work, FIDO "does not address the need to encrypt user data in a zero-knowledge and zero-trust environment."
Microsoft has been particularly vocal about removing passwords, saying in September 2021 that users can remove passwords or emails from their Microsoft accounts by using the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to their phone. mail.
Mark Risher, senior director of product management at Google, said the vendor's partnership with FIDO and the W3C "is a testament to the collaborative work the industry is doing to strengthen protection and eliminate outdated password-based authentication."
Playing the long game
, chief of cybersecurity firm YouAttest Executive Garret Grajeck told The Register that the key to the growing adoption of passwordless technology lies in devices, of which Microsoft, Apple and Google dominate and have implemented authentication mechanisms.
"The onus then becomes the security of these factors for the Big Three, and then the security and implementation of SSO from these devices to relying parties -- other web, mobile and native applications," Grajeck said. "Given that we are in the supply chain There are problems with hackers and other hackers, and it's not unforeseen that more hacking will happen in this space."
One-factor, passwordless login has too many functional, logical and security issues to become the norm overnight
Keeper Security's Before accelerating adoption, Lurey said it will take a series of steps — from vendors building technologies like multi-factor authentication into their websites and apps, to users not only being educated about the technology and trusting it, but relying on them mobile devices.
"We're going to be using passwords for at least another decade," he said. "Single-factor, passwordless logins have too many functional, logical and security issues to become the norm overnight
," John Gunn, CEO of authentication provider Token, told The Register. "World Password Day is akin to a national scissors run. Both activities are inherently insecure, and according to statistical analysis, the latter is much more secure.
“The security or lack of security of passwords has only improved marginally in the 61 years since they were first implemented. Now is the time for us collectively...to commit to eliminating passwords entirely. "