People generally have weak passwords for their online profiles. But some of us have such bad passwords that instead of relying on people to change their habits and create stronger passwords, the three most prominent players in the tech space – Apple, Google, and Microsoft – have decided that they will get rid of passwords altogether and use a completely new system for users to sign in to their accounts.
In a joint effort to reduce the number of data breaches and their user’s accounts getting hacked, Apple, Microsoft, and Google announced on Thursday that they had committed significant resources to build a new system for passwordless sign-in. This will be implemented across all of the mobile, desktop, and browser platforms they control in the years to come.
“Just as we design our products to be intuitive and capable, we also design them private and secure,” said Kurt Knight, senior director of platform product marketing at Apple. “Working with the industry to establish new, more secure sign-in methods that offer better protection and eliminate the vulnerabilities of passwords is central to our commitment to building products that offer maximum security and a transparent user experience to keep users’ personal information safe,” added Knight.
The idea is to use one physical device, usually a smartphone, as the main authenticator for apps, websites, and other digital services. Unlocking that smartphone using a PIN, pattern, or fingerprint should be enough to log in to any web service. These authenticators will use a cryptographic token or a passkey shared between the phone and the website.
This way, users will benefit from a straightforward and secure login system. They will not have to remember complex passwords, so people have bad passwords such as ‘123456’ or ‘password’ in the first place and then repeat those passwords for various other profiles.
Furthermore, the most basic way “phishing” or stealing of passwords occurs is that people use compromised networks and websites while browsing the internet, where they need to enter a password, which gets picked up by bad actors.
A passwordless system that uses such a passkey will make it much more difficult for hackers to compromise login details remotely since signing in requires access to a physical device.
The most common passkey standard used in the tech space is called the FIDO passkey, and the FIDO Alliance developed it. It works because a user’s phone stores a unique FIDO-compliant passkey and shares it with a website for authentication only when the phone is unlocked. Per Google’s post, passkeys can also be easily synced to a new device from cloud backup if a phone is lost.