It recently made headlines across the world that Apple, Google and Microsoft have committed to support a common standard for password-free sign-ins in order to make the web a safer space for all. The standard they are championing (called FIDO) works using the same technology we use to unlock our devices every day – like using a PIN, fingerprint or facial recognition; only now, this action will help us sign into websites and apps. It’s not only simpler, but the FIDO standards being used make identity management systems cryptographically secure, easy and consistent across devices and websites.
Megan Shamas, Senior Director of Marketing at FIDO Alliance.
The recent announcement that Apple, Google and Microsoft will expand their support of passwordless sign-in standards created by FIDO Alliance and the World Wide Web Consortium is a huge step forward for the industry and sets the path for many service providers to get on the road to passwordless.
If you’re thinking this sounds like it might be a big deal, it is. And it’s been years in the making from not only these three tech companies, but an entire industry coming together to reduce the world’s reliance on passwords. Let’s look a little deeper at the FIDO Alliance, its standards, support and the future of passwordless.
What is the FIDO Alliance?
The FIDO (Fast Identity Online) Alliance was launched publicly in 2013 to create standards and gain adoption for stronger and simpler authentication technology over usernames, passwords and other legacy methods for signing into online services.
While it’s a huge win that the world’s three biggest platforms – Apple, Google and Microsoft – are championing FIDO, they aren’t the only driving force behind the FIDO Alliance, and are collaborating alongside hundreds of companies all over the world to make simpler, stronger authentication a reality.
FIDO Alliance members includes the world’s biggest tech platforms like Apple, Google and Microsoft; those in the financial world like Visa, Mastercard and JCB; consumer device players like Samsung and Huawei; social networks like Meta and Twitter; retailers like Amazon and eBay; governments and consultants; and hardware and software vendors (big and small!) like HID, IDEMIA and Thales – plus many more.
Having all of these stakeholders from multiple verticals participate in FIDO Alliance standards creation and adoption activities is paying off. Today, FIDO standards are supported in billions of devices and all modern web browsers, hundreds of products are FIDO Certified, and major service providers like Amazon, eBay and Microsoft are already offering FIDO for sign in.
Why does FIDO matter?
Ultimately, anything that is still underpinned by a password holds a level of insecurity, as it is stored centrally and can be shared. FIDO, on the other hand, leverages device-based authentication with public key cryptography. As such, FIDO credentials are phishing-resistant, meaning they simply cannot be shared or compromised in the same way or at the same scale as passwords.
Password-only authentication is one of the biggest security problems on the web. And not only that, managing the number of passwords required of us in our modern lives is cumbersome and near impossible to do effectively. Consequently, consumers regularly reuse the same passwords across services, a practice that makes them highly vulnerable to costly account takeovers, data breaches, and even stolen identities.
There were nearly 2,000 data breaches in 2021 according to the Identity Theft Resource Center’s Annual Data Breach Report – a 68% increase in breaches in 2020. When each breach happens, emails and passwords associated with online accounts are also commonly leaked, meaning consumers’ credentials end up on the dark web and vulnerable to phishing scams or identity theft.
The most common passwords on the dark web? You probably could guess them, which helps make my other point that as well as reusing passwords, easily guessable passwords still remain by far the most common. That’s right: 123456, 123456789, qwerty, password, and Abc123 all rank in the top ten.
While password managers and legacy forms of two-factor authentication offer incremental improvements, these are increasingly at risk, as well as posing a major inconvenience for consumers. One-time passcodes sent over SMS, for example, are still phishable and able to be compromised – there are even hacker DIY toolkits available on the web now to help you do it.
Power to passwordless – what’s next for FIDO?
We have talked about FIDO’s broad industry backing and support on every major operating system and browser, so what is the latest news from the Alliance, Apple, Google and Microsoft and what does it mean for the future of passwordless?
What the three companies have announced is expanded support for FIDO standards, to give users two new capabilities for more seamless and secure passwordless sign-ins:
- Users can automatically access their FIDO sign-in credentials (also known as “passkeys”) on many of their devices, even new ones, without having to re-enroll every account.
- Users can use FIDO Authentication on their mobile device to sign in to an app or website on a nearby device, regardless of the OS platform or browser they are running.
These new features aim to provide considerably better sign-in experience and an invaluable progression towards making passwordless a day-to-day reality for consumers. For service providers, they can offer FIDO sign-ins without needing passwords as an alternative sign-in or account recovery method – helping them to go truly passwordless. The expectation is that we will see a new wave of low-friction FIDO implementations, alongside the ongoing and growing utilization of high assurance FIDO security keys, giving service providers the power and full range of options for deploying modern, phishing-resistant authentication.
This is yet another step on the journey towards using fewer and fewer passwords. What’s next? We aren’t there just yet – we need to see these capabilities come to market, service providers offer it, and consumers start to use it. But the future is looking bright – and maybe not yet ‘passwordless’ but certainly with ‘less’ passwords.