Truth be told, I’m not the greatest fan of World Password Day. Such whimsical labels for one day of the year tend not to make much difference to the overall awareness of important security issues for most users, it seems to me. However, I’ll make an exception for 2022 as three technology behemoths used the focus of password day to announce a stunning security pact. Ironically, a pact that could see passwords phased out in day-to-day use for millions of people. Here’s what Apple, Google and Microsoft announced and why it matters.
Getting rid of password friction to strengthen security
Anyone who has ever read my articles or watched the Forbes Straight Talking Cyber video series will know that I’m not a massive fan of passwords. Or, rather, of the fact that they tend to encourage poor security hygiene amongst users. Easy to remember and easy to guess, passwords are the order of the day for so many and, to make matters even worse, they are then used across multiple accounts, sites and services. I’ve always been evangelistic about the use of password managers but even these applications that make password usage less complicated at the same time as strengthening security are too much hassle for the majority. For better security measures to gain leverage with the average user they need to create as little friction as possible, to be so easy to use that you hardly notice they are there. Which is why I’m also a fan of ‘passwordless’ systems and so enthusiastic about the stunning security pact between Apple, Google and Microsoft for 2022 and beyond.
Stunning security pact between Apple, Google and Microsoft revealed
So, what have Apple, Google and Microsoft announced? In short, the three tech giants have agreed to a joint effort committing to “extend support for a common passwordless sign-in standard.” What does that mean? Well, let’s start with what it doesn’t mean and that’s any immediate changes as these will likely roll out in the coming months and I wouldn’t be at all surprised if we are talking more towards year-end before we see this vision of a passwordless future become something of a reality across all three vendor platforms. What it does mean though is a commitment to the FIDO (Fast ID Online) Alliance standards using mobile devices instead of passwords to authenticate apps and websites and do so cross-platform. This is important because you will be able to login to a site or service on your ‘in-range’ computer just by looking at your phone, scanning your fingerprint, or entering a PIN.
More straightforward, stronger, cross-platform authentication for all
In this scenario, the smartphone acts as a secure passkey store. Using, for example, biometrics to access that key provides something you are (face or fingerprint scan) or something you know (a PIN) plus something you have (the smartphone) in one single, simple action. As I’ve already pointed out, improving security requires user acceptance, which means solutions must be as frictionless as possible. This ticks that box. If you are already used to Face ID on your iPhone, Windows Hello on your computer, and Microsoft Authenticator or Google prompts for two-factor smartphone authentication, you’ll appreciate how simple this is. The latter already shows how this cross-platform passwordless technology will work: you want to access a site or service using a Google Chrome browser on a Windows PC, and you can do so just by confirming a prompt that pops up on your iPhone. How cool and convenient is that?
Easier security, more robust security
While there is some mileage in the argument that putting all your authentication eggs in one basket, a smartphone-shaped basket, it is actually more secure than it sounds. At least for most people, most of the time. For a threat actor to access your accounts or services, they need to have physical access to your device and your face/fingerprints or PIN. This is not impossible by any means, nobody would suggest it is, and there’s also an argument to be made about this making access for law enforcement easier in certain circumstances. However, when talking about the average user, someone who likely isn’t using the strongest of passwords but is statistically likely to be reusing them across sites and services, it’s a big step forward as far as secure authentication is concerned in my never humble opinion.
What do the experts say about this stunning security pact?
Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency CISA: “The standards developed by the FIDO Alliance and World Wide Web Consortium and being led in practice by these innovative companies is the type of forward-leaning thinking that will ultimately keep the American people safer online. I applaud the commitment of our private sector partners to open standards that add flexibility for the service providers and a better user experience for customers.”
Jake Moore, global cyber security advisor at ESET: “It is encouraging that Microsoft, Google, and Apple are attempting to pave the way to make account access secure as well as convenient. This isn’t something that can be achieved overnight, but it highlights that more needs to be done when it comes to password security. Cybercriminals will inevitably attempt to circumnavigate by looking for ways to exploit this method as nothing remains hackproof, but like with any early adoption of new technology, this is a great start and we are likely to see a decent version of this in the near future.”