In honor of World Password Day – May 5 – the world’s largest technology companies have announced an alliance to end our dependence on passwords. This would no longer mean using passwords on any major platform, including desktop, mobile and web browsers. No passwords for Windows, MacOS, Chrome, Edge, Android, iOS, Safari, etc. It certainly sounds appealing, but obviously security questions remain.
Today Microsoft, Apple and Google announcements implementation joint venture FIDO standards for entering their respective platforms. FIDO stands for Fast Identity Online and instead of a password, people will use their phones to verify their identity. The phone stores an access key and will only share it with a website or app once the phone is unlocked. With FIDO, all you have to do when trying to access a site that asks for your password is unlock your phone; whether through FaceID, fingerprint or similar method. You can still access your access key even if you lose your phone according to Google. It will be synced to the cloud and resubmitted to your new device. Companies will start implementing the changes next year, which lasts until 2023.
FIDO is already used by many applications and sites, but previously a password was required to activate and configure it. Expanding its support from Microsoft, Google and Apple will get rid of this requirement. According to Apple press release, will provide an “end-to-end experience without a password”. However, the group acceptance of FIDO by these companies, the companies that make applications and websites, will still have to choose to accept it. It will not be something that is automatically applied to everything at once. As Google noted in its blog post, “we understand that it will still take time for this technology to be available to all devices and for website and application developers to take advantage of it.”
In light of this news, no one would be right to say that the current password situation is not a security nightmare. Most people have so many passwords that not everyone can remember them. This leads to people reusing passwords or using simple passwords, which poses a security risk. FIDO says the average Internet user has over 90 different accounts that require a password. There are ongoing solutions to this problem, including two-factor authentication (2FA) and password managers. However, people need to take the initiative and actively activate 2FA on sites that support it, or understand how to use a password manager. Both steps can be difficult for many users. What these technology companies are doing is essentially implementing multi-factor authentication globally, for all users. It is unclear whether the user will need to join this new authentication method once supported by their devices, but it appears that it will be activated automatically.
Now for the questions he raises. Do you need to unlock your phone more securely than standard two-factor authentication? It looks like that. When you receive a code sent to your phone via SMS, it flashes on the screen if we assume that notifications are activated. Anyone can see this code. There is also a problem with changing SIM cards, which is not widespread or cheap for fraudsters, but it happens. This allows a fraudster to redirect the 2FA code to their own phone. As far as law enforcement rights are concerned, this is a completely different box of worms. A police officer can’t force you to give up a phone password, but the question is using biometric data to unlock the phone is still murky. Generally speaking, “something you know” is still safer in terms of security than “something you are”.