Apple, Google, and Microsoft announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium.
This allows websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms.
Google says, “This will simplify sign-ins across devices, websites, and applications no matter the platform — without the need for a single password. These capabilities will be available over the course of the coming year.”
How does Passwordless Authentication Work?
Realistically, when the user signs in to a website or an application on his phone, he only has to unlock his phone; and the account will no more need a password.
“Instead, your phone will store a FIDO credential called a ‘passkey’ which is used to unlock your online account. The passkey makes signing in far more secure, as it’s based on public-key cryptography and is only shown to your online account when you unlock your phone”, explains Google in a blog post.
Thus the user will not require the phone again, they can just sign in by unlocking the computer.
“Even if you lose your phone, your passkeys will securely sync to your new phone from cloud backup, allowing you to pick up right where your old device left off”, says Google.
This new passwordless authentication gives users two new capabilities for more seamless and secure passwordless sign-ins:
- Allow users to automatically access their FIDO sign-in credentials (referred to by some as a “passkey”) on many of their devices, even new ones, without having to re-enroll every account.
- Enable users to use FIDO authentication on their mobile device to sign in to an app or website on a nearby device, regardless of the OS platform or browser they are running.
According to FIDO Alliance, “This new capability stands to usher in a new wave of low-friction FIDO implementations alongside the ongoing and growing utilization of security keys — giving service providers a full range of options for deploying modern, phishing-resistant authentication.”.
Passwordless Protects Against Phishing
The expanded new approach will give websites and apps the ability to offer an end-to-end passwordless option.
“Users will sign in through the same action that they take multiple times each day to unlock their devices, such as a simple verification of their fingerprint or face, or a device PIN”, the FIDO alliance. Hence, this new approach protects against phishing, and sign-in will be drastically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes sent over SMS.