Apple, Google and Microsoft want FIDO to kill passwords

Apple, Google and Microsoft are expanding their support of the FIDO standard as they work to eradicate passwords – you can expect big improvements on their platforms this year.

No password? No need (maybe)

In a joint statement, they explain the hope that expanding support for the  passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium will allow websites and apps to offer secure, and easy passwordless sign-ins across devices and platforms.

The reasons are easy to understand.

Password-only authentication is one of the biggest security problems on the web, and managing passwords is cumbersome for consumers, which often leads consumers to reuse the same ones across services.

That leads to data breaches and worse, and while 2FA and password managers help, the industry continues work to find an even more convenient means to authentication.

The expanded standards-based capabilities will give websites and apps the ability to offer an end-to-end passwordless option. Users will sign in using interactions such as FaceID or a device PIN.

A multi-year, pan-industry effort

Hundreds of tech firms and service providers have been working with the FIDO Alliance and W3C to create the passwordless sign-in standards already supported in billions of devices and modern web browsers. Apple, Google, and Microsoft are now building this support into their respective platforms.

[Also read: Apple publishes essential personal (digital) security guide]

The idea is that users won’t need to sign into each website or app before they can begin using the services. The Big Tech firms now plan to give users two new capabilities for passwordless sign-in:

1. Allow users to automatically access their FIDO sign-in credentials (referred to by some as a “passkey”) on many of their devices, even new ones, without having to re-enroll every account.
2. Enable users to use FIDO authentication on their mobile device to sign in to an app or website on a nearby device, regardless of the OS platform or browser they are running.

These new capabilities are expected to become available across Apple, Google, and Microsoft platforms over the course of the coming year.

A detail from the FIDO white paper (Click to read).

What FIDO says

“‘Simpler, stronger authentication’ is not just FIDO Alliance’s tagline — it also has been a guiding principle for our specifications and deployment guidelines. Ubiquity and usability are critical to seeing multi-factor authentication adopted at scale, and we applaud Apple, Google, and Microsoft for helping make this objective a reality by committing to support this user-friendly innovation in their platforms and products,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance.

“This new capability stands to usher in a new wave of low-friction FIDO implementations alongside the ongoing and growing utilization of security keys — giving service providers a full range of options for deploying modern, phishing-resistant authentication.”

What CERT said

“The standards developed by the FIDO Alliance and World Wide Web Consortium and being led in practice by these innovative companies is the type of forward-leaning thinking that will ultimately keep the American people safer online. I applaud the commitment of our private sector partners to open standards that add flexibility for the service providers and a better user experience for customers,” said Jen Easterly, Director of the U.S. Cybersecurity and Infrastructure Security Agency.

“At CISA, we are working to raise the cybersecurity baseline for all Americans. Today is an important milestone in the security journey to encourage built-in security best practices and help us move beyond passwords. Cyber is a team sport, and we’re pleased to continue our collaboration.”

What Apple said

“Just as we design our products to be intuitive and capable, we also design them to be private and secure,” said Kurt Knight, Apple’s Senior Director of Platform Product Marketing.

“Working with the industry to establish new, more secure sign-in methods that offer better protection and eliminate the vulnerabilities of passwords is central to our commitment to building products that offer maximum security and a transparent user experience — all with the goal of keeping users’ personal information safe.”

What Google said

“This milestone is a testament to the collaborative work being done across the industry to increase protection and eliminate outdated password-based authentication,” said Mark Risher, Senior Director of Product Management, Google.

“For Google, it represents nearly a decade of work we’ve done alongside FIDO, as part of our continued innovation towards a passwordless future. We look forward to making FIDO-based technology available across Chrome, ChromeOS, Android and other platforms, and encourage app and website developers to adopt it, so people around the world can safely move away from the risk and hassle of passwords.”

What Microsoft said

“The complete shift to a passwordless world will begin with consumers making it a natural part of their lives. Any viable solution must be safer, easier, and faster than the passwords and legacy multi-factor authentication methods used today,” says Alex Simons, Corporate Vice President, Identity Program Management at Microsoft.

“By working together as a community across platforms, we can at last achieve this vision and make significant progress toward eliminating passwords. We see a bright future for FIDO-based credentials in both consumer and enterprise scenarios and will continue to build support across Microsoft apps and services.”

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies and remedy the problems users face with creating and remembering multiple usernames and passwords.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.