Apple, Google and Microsoft to soon execute passwordless login on all major platforms
Yesterday on World Password Day, we may have come one step closer to making passwords a thing of the past.
In a joint effort, tech giants Apple, Google and Microsoft announced that they have committed to building support for passwordless login across all mobile, desktop and browser platforms they control within the following year. Effectively, this means passwordless authentication will be coming to all major device platforms in the not-too-distant future:
Android and iOS mobile operating systems.
Chrome, Edge, and Safari browsers.
The Windows and macOS desktop environments.
"Just as we design our products to be intuitive and capable, we also design them to be private and secure," said Kurt Knight, senior director of platform product marketing at Apple. "Working with the industry to establish new, more secure sign-in methods that offer better protection and eliminate the vulnerabilities of passwords is central to our commitment to building products that offer maximum security and a transparent user experience — all with the goal of keeping users' personal information safe."
A passwordless sign-in process will allow users to choose their phones as the primary authentication device for apps, websites and other digital services, Google detailed in a blog post published Thursday. Unlocking the phone with whatever is set as the default action (entering a PIN, drawing a pattern, or using fingerprint unlock) will suffice to log in to web services without entering a password. This is made possible by using a unique cryptographic token called an access key that is shared between the phone and the website.
By making logins dependent on a physical device, the idea is that users simultaneously benefit from simplicity and security. For example, there will be no obligation to remember login details across services or compromise security by reusing the same password in multiple places without a password. Similarly, a passwordless system will make it much more difficult for hackers to compromise login details remotely since logging in requires access to a physical device. In theory, phishing attacks in which users are directed to a fake website to capture the password will be much more challenging to mount.
Vasu Jakkal, Microsoft's vice president for security, compliance, identity, and privacy, emphasized the degree of compatibility across platforms. "With passkeys on your mobile device, you're able to sign in to an app or service on nearly any device, regardless of the platform or browser the device is running," Jakkal said in an emailed statement. "For example, users can sign in on a Google Chrome browser that's running on Microsoft Windows—using a passkey on an Apple device."
Cross-platform functionality is made possible by a standard called FIDO, which uses the principles of public-key cryptography to enable passwordless authentication and multi-factor authentication in a variety of contexts. For example, a user's phone can store a unique FIDO-compliant passkey and will share it with a website for authentication only when the phone is unlocked. According to Google's post, passkeys can also be easily synced to a new device from cloud backup if a phone is lost.
Although many popular apps already included support for FIDO authentication, the initial login required the use of a password before FIDO could be configured, meaning users were still vulnerable to phishing attacks that see passwords intercepted or stolen in the path.
So far, Apple, Google and Microsoft have said they expect the new sign-in capabilities to be available on all platforms within the next year, though a more specific roadmap hasn't been announced. So although the plot to crack the password has been years in the making, there are signs that it may finally have succeeded this time.