The use of passwords has been out of favor for some time - they aren't the best protection against hackers and phishers online, and managing them can be very inconvenient. In order to create a secure password, users should use a complex sequence of characters.
This will make their passwords more difficult to guess or hack. Since it is nearly impossible to remember complex passwords, most users go for a simple alternative they use for all of their online accounts. Password managers are a safer, although somewhat more time-consuming, way of securing and managing complex passwords.
There is still a risk, however: password managers can be hacked (and some already have been) if your device is infected with malware, and reused passwords may be compromised.
CSO suggests two-factor authentication as a possible solution, but even that may be compromised. It has been decided that rather than continue to develop new ways to manage passwords, it is time to phase them out altogether.
Microsoft, along with Apple and Google, has announced its intention to expand support for the free and open FIDO Alliance and the World Wide Web Consortium's passwordless login standards. How do these companies intend to replace passwords? Passkeys. Let's explore the details.
FIDO credentials, also known as passkeys, can be used to sign in to multiple devices and platforms using one account. As a result, you would create a unique passkey for use with each app or website (which could be a PIN or biometric ID), and you would receive a push request to authenticate your identity with that passkey whenever you log in.
Another nearby device with FIDO credentials can also be used to authenticate a new device. Your device basically becomes a hardware token that can be used to authenticate access to another device.
The FIDO alliance reveals its activation method in a white paper that guarantees the security of this new authentication system. In general, they stated that the FIDO scheme would work over Bluetooth and not over the internet as some other push 2FA systems do.
FIDO credentials are phishing-resistant, as Bluetooth requires physical proximity. Because of that, the white paper says the credentials are a good option for tapping into the user's phone during authentication.
Over the course of the next year, FIDO will be made available on Apple, Google, and Microsoft platforms. There hasn't been a definite ETA provided by the Alliance so we'll keep our eyes open.
There is no way for Apple to keep up with the whole passkey trend since the company already has a complete system in iOS 15 and macOS Monterey, but it isn't compatible with other platforms. Google Play Services on Android has already been spotted offering passkey support.
There is another concern left to be resolved, and that is the interoperability among the different platforms, which means users can authenticate with their Microsoft passkeys on Apple devices, for example.
Ditching passwords would not seem to be that bad an idea. Users won't miss them. FIDO Alliance needs to work out some kinks before passwordless sign-in becomes safe and effective. When your device is lost, what happens?
According to the FIDO Alliance white paper, you can still retrieve your account by logging into your main platform account. But how? With a password? Although it's not a problem if you've set up your credentials on more than one device, what happens when those devices aren't nearby? It will be interesting to see how the new FIDO credentials will circumvent these loopholes.
For more stories like this
Explore our website