Put bluntly, passwords suck. We just published a lengthy article about an email scam that exists only because too many people have weak passwords that they reuse across multiple sites (see “How to Help a Friend Whose Email Has Been Hacked to Send Scams,” 5 May 2022). Why don’t we instead get to use sophisticated biometric authentication like Touch ID and Face ID more broadly? That may happen in the coming year, thanks to Apple, Google, and Microsoft committing to support the FIDO standard for passwordless logins.
To an extent, all three companies already support FIDO Alliance standards to enable passwordless logins, but this announcement expands those capabilities by providing automatic access to FIDO passkeys on multiple devices without having to re-enroll every account and by allowing FIDO authentication on a mobile device to sign in to an app or website on another device nearby, regardless of the operating system or Web browser in use.
Last year at Six Colors, Dan Moren wrote about Apple’s Passkeys system, introduced as a technology preview at WWDC 2021. It gives a glimpse of how Apple thinks this new passwordless authentication approach will work. In short, when you sign up for an Internet account, you would create only a username; Passkeys would create the passkey and store it in your keychain. All the Internet service would have is your username and your public key. When you want to sign in later, all Passkeys would have to do is prove that your device has the corresponding private key, which it would do by asking you to authenticate via Touch ID or Face ID. That would raise questions about how users would deal with the loss of a device and seemingly eliminate the possibility of signing in using someone else’s device, but those are implementation details.
With luck, we’ll start to see Passkeys (or whatever Apple ends up calling it) implemented for real in the upcoming releases of macOS 13, iOS 16, iPadOS 16, and watchOS 9. As the press release says:
These new capabilities are expected to become available across Apple, Google, and Microsoft platforms over the course of the coming year.
It can’t happen soon enough. Death to passwords!