When Apple, Google and Microsoft stop punching each other’s faces off and agree on something, you know it’s important. And that’s true for the recent joint announcement: Apple, Google, and Microsoft commit to expanded support for FIDO standard to accelerate availability of passwordless sign‑ins. The headline is drier than the Sahara, but what it stands for matters: the elimination of passwords. Apple Passkeys is the name for how this will work on Apple’s devices.
“But wait,” you might interject, “what’s so bad about passwords?” Everything. Our lives are tied up in online identities and services protected by passwords; and when nefarious types steal them, lives are upended. Yet the burden passwords place on everyone is such that many people leave accounts vulnerable to attack.
It says everything that one of the most popular passwords is, quite literally, ‘password’. Elsewhere, people reuse passwords across multiple services, meaning if one is breached, they all are. Bad limitations exist, like when services restrict passwords to only eight characters. And terrible advice lingers – recently, I received a press release that suggested people use a formula for frequently changed passwords, so they only need to adjust part of it each time. Just no.
FIDO (Fast IDentity Online) is designed to fix all this, by removing friction, annihilating avenues for phishing, retaining security and privacy, and having an acronym that makes you think of a cute puppy. With Apple, Google and Microsoft on board, the system will cover Android, iOS, iPadOS, macOS and Windows, along with the Chrome, Edge and Safari web browsers.
But how will it work? In short, when you sign up for an account, you’ll define a username and then use your prodding digit or face to authenticate (or a PIN, if you avoid biometrics because you think The Man is out to get you). That’s it. When you next log in, you’ll authenticate in the same way, and a Bluetooth component in the spec will let you use a device to log into accounts on nearby gear as well – whatever OS it’s running.
The biggest benefit was summed up by Microsoft’s Alex Simons – Corporate Vice President, Identity Program Management (and in need of a shorter job title): “The complete shift to a passwordless world will begin with consumers making it a natural part of their lives. Any viable solution must be safer, easier and faster than the passwords and legacy multi-factor authentication methods used today.”
And that’s the case here. FIDO is user-friendly. It removes the need to remember passwords, but demands you are present, removing spoofing and phishing from the equation. It eliminates conflict escalation, which has resulted in you having to jump through increasingly complex hoops to sign into online services. And the cloud-native nature of the onboard tech trio means your passkeys are always with you, synced to your devices.
It leaves dodgy types with nothing to steal – at least, not at scale. Today, a hack can afford someone instant access to millions of passwords. If someone grabs your phone and you’re using FIDO, that at worst will be a problem for you, rather than millions of others. Even then, your device itself would have to be unlocked – or unlock with a passcode rather than biometrics, and for that passcode to be one the thief knows. Unlikely.
Cynics might grumble they’ve heard all this before. And there is the possibility even with Apple, Google and Microsoft behind the initiative, stating these new capabilities will arrive over the coming year, we could be in for a bumpy ride. After all, plenty of companies have interests in password-based authentication, while many bodies and individuals are reluctant to give Apple et al yet more power – or flat out don’t trust them.
Still, what was once a pipe dream now seems possible – even probable. So let’s look forward to FIDO and hope it’s rolled out and embraced at speed. In the meantime, use two-factor authentication, a password manager and Have I Been Pwned, while dreaming of an future when you don’t have to think about any of that stuff ever again.