FP ExplainersMay 06, 2022 12:27:32 IST
People generally have weak passwords for their online profiles. But some of us have such bad passwords, that instead of relying on people to change their habits and create stronger passwords, the three biggest players in the tech space – Apple, Google and Microsoft – have decided that they will get rid of passwords altogether and use a completely new system for users to sign in to their accounts.
In a joint effort to reduce the number of data breaches and their user’s accounts getting hacked, Apple, Microsoft and Google made a joint announcement on Thursday that they have committed significant resources to build a new system for passwordless sign-in. This will be implemented across all of their mobile, desktop and browser platforms that they control in the years to come.
“Just as we design our products to be intuitive and capable, we also design them to be private and secure,” said Kurt Knight, senior director of platform product marketing at Apple. “Working with the industry to establish new, more secure sign-in methods that offer better protection and eliminate the vulnerabilities of passwords is central to our commitment to building products that offer maximum security and a transparent user experience — all with the goal of keeping users’ personal information safe,” added Knight.
The idea is to use one physical device, usually a smartphone, as the main authenticator for apps, websites and other digital services. Unlocking that smartphone using a PIN, pattern, or fingerprint should be enough to log in to any web service. These authenticators will use a cryptographic token or a passkey, that will be shared between the phone and the website.
This way, users will benefit from a very simple and secure login system, and will not have to remember complex passwords, which is the reason why people have bad passwords such as ‘123456’ or ‘password’ in the first place, and then, repeat those passwords for various other profiles.
Furthermore, the most basic way “phishing” or stealing of passwords takes place is that people use compromised networks and websites while browsing the internet, where they need to enter a password, which gets picked up by bad actors.
A passwordless system that uses such a passkey will make it much more difficult for hackers to compromise login details remotely since signing in requires access to a physical device.
The most common passkey standard that is being used in the tech space is called the FIDO passkey and it is developed by the FIDO Alliance. The way it works is that a user’s phone stores a unique FIDO-compliant passkey and shares it with a website for authentication only when the phone is unlocked. Per Google’s post, passkeys can also be easily synced to a new device from cloud backup in the event that a phone is lost.