In honor of World Password Day, Apple, Google, and Microsoft on Thursday announced plans to expand support for the passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium (W3C).
Today’s announcement covered two enhancements, one in which a mobile phone can authenticate a FIDO credential on a laptop. The second allows users to automatically access their FIDO sign-in credentials on many of their devices, so long as they are a similar brand, without having to reenroll every account.
The option that will likely get widely adopted throughout the next year is the ability to use FIDO authentication on a mobile device to sign-in to an app or website on a laptop, regardless of the OS platform or browser a user runs.
Rolf Lindemann, vice president of products at Nok Nok Labs, a long-time proponent of passwordless technology, explained it this way:
"A user will bring up a banking app on the browser in their laptop. The banking app will prompt them to sign-in without a password and then once they click OK a sensor on their smartphone will prompt them to authenticate. Users will have the option to authenticate via fingerprint or facial recognition, depending on preference or what the device offers."
Lindemann said today, it’s possible to do this option with a Chrome browser on a Windows machine using an Android device. The expectation is that Apple devices will have this capability later this year.
“I think it will really move the needle because today you have to bootstrap every device separately,” Lindemann said. “With the new approach you can use your phone locally connected to bootstrap the device. Users would connect the phone to a laptop and use the phone as a security key. The phone would have the role of a Yubi key.”
Lindemann said users would no longer have to use one-time text passwords or authenticate with passwords generated by apps such as Google Authenticator or Authy. He said today’s authenticator apps take users up to 30 seconds to authenticate versus 2- to 5 seconds with the new FIDO approach. The industry also promises authentication success rates of close to 100% versus today where some 15% of authentications fail.
Evan Krueger, head of engineering at Token, said the various incarnations of FIDO have been fantastic from a security standpoint, but support has been inconsistent across browsers and platforms, which has made adoption of the standard challenging. Additionally, Krueger said FIDO implementations have lacked a strong focus on usability.
"Today’s announcement from the FIDO Alliance gives me confidence that we’ll start seeing broad adoption of FIDO authentication solutions in the next year that are both secure and convenient enough to finally replace passwords,” Krueger said. "The move away from passwords as a primary means of authentication is overdue. Most security breaches are borne of credential theft and reuse. Nearly all MFA solutions end up being an additional hurdle for their users without really protecting them from threats like phishing. A passwordless FIDO authentication scheme solves all of these issues.”
Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, added that FIDO is self-contained: there are no certificates exposed either to the user or the organization.
“FIDO protocols use standard public key cryptography techniques to provide stronger authentication and designed from the ground up to protect user privacy,” Bocek said. “It’s portable and allows for trust once you sign in once.”
Jasson Casey, chief technology officer, Beyond Identity, said efforts like FIDO are critical as they endeavor to address different use cases to try and start to move away from password dependence. Casey said the two use cases FIDO presents — roaming authentication using Bluetooth to communicate with an authenticator running on a phone, and synchronizing keys between machines — are certainly a positive step to help further advance passwordless adoption.
"As FIDO Alliance members, we agree that passwordless should support those use cases and more while continuing to strengthen security in the process by leveraging what’s already built into modern devices — the secure enclaves such as TPM — combined with the security posture of the device itself,” Casey said..