A big bet to kill the password for good
2022 03 20
After years of tantalizing hints that a passwordless future is just around the corner, you’re probably still not feeling any closer to that digital unshackling. Ten years into working on the issue, though, the FIDO Alliance, an industry association that specifically works on secure authentication, thinks it has finally identified the missing piece of the puzzle.
On Thursday, the organization published a white paper that lays out FIDO’s vision for solving the usability issues that have dogged passwordless features and, seemingly, kept them from achieving broad adoption. FIDO’s members collaborated to produce the paper, and they span chipmakers like Intel and Qualcomm, prominent platform developers like Amazon and Meta, financial institutions like American Express and Bank of America, and the developers of all major operating systems—Google, Microsoft, and Apple.
The paper is conceptual, not technical, but after years of investment to integrate what are known as the FIDO2 and WebAuthn passwordless standards into Windows, Android, iOS, and more, everything is now riding on the success of this next step.
“The key to being successful for FIDO is being readily available—we need to be as ubiquitous as passwords,” says Andrew Shikiar, executive director of the FIDO Alliance. “Passwords are part of the DNA of the web itself, and we’re trying to supplant that. Not using a password should be easier than using a password.”
In practice, though, even the most seamless passwordless schemes are not quite there. Part of the challenge simply lies with the enormous inertia passwords have built up. Passwords are difficult to use and manage, which drives people to take shortcuts like reusing them across accounts and creates security issues at every turn. Ultimately, though, they’re the devil you know. Educating consumers about passwordless alternatives and getting them comfortable with the change has proven difficult.
Beyond just acclimating people, though, FIDO is looking to get to the heart of what still makes passwordless schemes tough to navigate. And the group has concluded that it all comes down to the procedure for switching or adding devices. If the process for setting up a new phone, say, is too complicated, and there’s no simple way to log in to all of your apps and accounts—or if you have to fall back to passwords to reestablish your ownership of those accounts—then most users will conclude that it’s too much of a hassle to change the status quo.
The passwordless FIDO standard already relies on a device’s biometric scanners (or a master PIN you select) to authenticate you locally without any of your data traveling over the Internet to a web server for validation. The main concept that FIDO believes will ultimately solve the new device issue is for operating systems to implement a “FIDO credential” manager, which is somewhat similar to a built-in password manager. Instead of literally storing passwords, this mechanism will store cryptographic keys that can sync between devices and are guarded by your device’s biometric or passcode lock.
At Apple’s Worldwide Developer Conference last summer, the company announced its own version of what FIDO is describing, an iCloud feature known as “Passkeys in iCloud Keychain,” which Apple says is its “contribution to a post-password world.”