Apple, Google, and Microsoft said Thursday that they have committed to broader support for removing passwords entirely from their platforms, using standards created by the FIDO Alliance and the World Wide Web Consortium.
The way they're going to do it should already be familiar: The three tech giants will lean more heavily on using smartphones as two-factor authentication via a PIN or fingerprint, and using that authentication to verify yourself on an operating system or website. Essentially, they say, you'll have the option for an end-to-end passwordless solution.
In theory, according to passwordless standards advocate the FIDO Alliance, the platforms used by the three companies already support passwordless authentication, but not in its entirety. One problem today's agreement solves is the current necessity to sign up for passwordless authentication on one device, but then re-enroll yourself on a second device, such as an additional PC or new phone. FIDO says today's agreement goes further, allowing users to automatically access their FIDO credentials on their devices without having to re-enroll. The agreement also allows you to sign in on a mobile device, and then access the site on a nearby PC or Mac, regardless of the OS or browser.
This may sound abstract, but the agreement has very real-world consequences: If your phone is lost or stolen, trying to re-establish contact with your banking application can be difficult without access to the cryptographic passkey your banking app stored in your lost phone. What this agreement does, according to a FIDO blog post, is make password recovery far easier—theoretically, you could log in on a second, older phone you owned and use your fingerprint to quickly re-enable access to your accounts and also alert the bank of the missing phone.
The agreement would also do away with one-time passcodes sent to your phone via SMS—which a SIMjacking attack can intercept.
By introducing these new capabilities, we hope to empower websites and apps to offer an end-to-end truly passwordless option; no passwords or one-time passcodes (OTP) required, the FIDO Alliance wrote. The user experience of sign-in becomes a simple verification of a user's biometric or a device PIN—the same consistent and simple action that consumers take multiple times each day to unlock their devices. The vision is that these experiences will be available across all our devices, operating systems, and browsers.
According to the FIDO Alliance, these capabilities should roll out across Apple, Google, and Microsoft platforms later this year.