Last year Apple, Google and Microsoft announced a joint effort to kill the password. Ron Amadeo for Ars Technica:
The first Thursday of May is apparently “World Password Day,” and to celebrate Apple, Google, and Microsoft are launching a “joint effort” to kill the password. The major OS vendors want to “expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium.”
The standard is being called either a “multi-device FIDO credential” or just a “passkey.” Instead of a long string of characters, this new scheme would have the app or website you’re logging in to push a request to your phone for authentication. From there, you’d need to unlock the phone, authenticate with some kind of pin or biometric, and then you’re on your way. This sounds like a familiar system for anyone with phone-based two-factor authentication set up, but this is a replacement for the password rather than an additional factor.
In May of this year, Google announced that Passkey support is rolling out to accounts. From the Google Blog:
Passkeys are a more convenient and safer alternative to passwords. They work on all major platforms and browsers, and allow users to sign in by unlocking their computer or mobile device with their fingerprint, face recognition or a local PIN.
Using passwords puts a lot of responsibility on users. Choosing strong passwords and remembering them across various accounts can be hard. In addition, even the most savvy users are often misled into giving them up during phishing attempts. 2SV (2FA/MFA) helps, but again puts strain on the user with additional, unwanted friction and still doesn’t fully protect against phishing attacks and targeted attacks like “SIM swaps” for SMS verification. Passkeys help address all these issues.
Passkeys have been put forward as a phishing resistant using the root of trust that you carry around with you. Many people in the wider security community are skeptical about the potential issues around passkeys and how criminals will inevitably trick users into logging into accounts that they control. One of the primary concerns that I have is what happens if your Google / Apple / Microsoft account is compromised or closed and what happens if you loose your phone or device that can be used to get back into your accounts? Only time will tell if this project will be a success or not.
