Microsoft, Apple, and Google stated today that they will embrace the World Wide Web Consortium (W3C) and the FIDO Alliance’s passkeys passwordless sign-in standard.
These new Web Authentication (WebAuthn) credentials (also known as FIDO credentials) will allow users of the three tech titans to log in to their accounts without using a password once they are introduced.
Instead of using passwords, they will be able to use PINs or biometric authentication to verify their identity (fingerprint or face).
“You’ll just need your phone nearby to sign into a website on your computer, and you’ll be requested to unlock it for access,” said Sampath Srinivas, Google PM Director for Secure Authentication.
“Even if you lose your phone, your passkeys will securely sync from cloud backup to your new phone, allowing you to pick up right where your old device left off.”
Over the next year, the new capabilities should be available across Microsoft, Apple, and Google’s top platforms, devices, websites, and apps.
“These multi-device FIDO credentials, also known as passkeys,” added Microsoft Identity Division Vice President Alex Simons, “represent a monumental step toward a world without passwords.”
Passkeys, when available, will eliminate the need to sign in to each app or website on each device, while also providing extra features for more smooth passwordless sign-ins:
Without having to re-enroll for each account, users may automatically access their passkeys on a variety of devices.
You can sign in to an app or service on practically any device using passkeys, independent of the platform or browser the device is running.
Because passwords are the most common point of entry exploited by criminals to hijack online identities, moving away from them will make the web more safe.
“There are 921 password attacks every second,” said Vasu Jakkal, Microsoft’s Corporate Vice President of Security, Compliance, Identity, and Management, “almost doubling in frequency over the past 12 months.”
Sign-in without a password
Microsoft, the largest of the three firms, has been pushing towards passwordless sign-ins across many of its platforms and services for some years.
Over 150 million users logged into their Azure Active Directory and Microsoft accounts without using passwords in December 2020, according to Microsoft.
In September, Microsoft began rolling out passwordless login support for all Microsoft accounts, allowing customers to access their accounts without entering a password.
The Microsoft Detection and Response Team (DART) said in October that it has discovered an upsurge in password spray assaults aimed at privileged cloud accounts and high-profile identities.
Simons disclosed a year ago that password spray attacks were among the most common authentication threats, accounting for more than a third of all enterprise account compromises.
“I congratulate our private sector partners’ commitment to open standards that give service providers more freedom and customers a better user experience,” said CISA Director Jen Easterly.
“Today marks a significant step forward in the security journey to encourage built-in security best practices and assist us in moving beyond passwords.”
