Access management, digital identity, fraud and cybercrime management
Top tech vendors support FIDO Alliance’s passwordless login standard
Michael Novinson (Michael Novinson) •
May 7, 2022
Apple, Google, and Microsoft are joining forces to support a standard that allows websites and apps to offer passwordless login across devices and platforms.
The three operating system and the browsing giants have put their weight behind a common passwordless login standard created by the FIDO Alliance that prevents remote adversaries from carrying out phishing or man-in-the-middle attacks, according to Andrew Shekiar, CEO of FIDO Alliance. Security Media Group. The new approach means that users no longer have to register each of their devices separately (see: FIDO Alliance Update: New Guidelines, Standards Improvements).
“They’re not doing it out of altruism,” Shekiar says. “They are really doing this because they understand that this is not a problem that any company can solve on their own. This really needs to be an industry-created solution for the industry to allow us collectively to turn the tide on the data breaches and account takeovers that continue to plague and threaten the integrity of Our digital economy.
Having each vendor take a special approach to passwordless login will be of little help since many consumers use operating systems and browsers from different software makers, says Jeremy Grant, managing director of Venable and a contributor to ISMG. Having the three companies controlling the entire OS and browsers market brings a unified approach to the market which will greatly enhance adoption.
“It’s not easy in a sector where these companies are often at each other’s throats in terms of being competitive and competing,” Grant tells ISMG. “In most cases, you want to see companies compete with each other, but I think this is one area where the feedback from the market has been very clear. We need to see stronger collaboration here.”
Never lose your keys
Historically, Grant says, password alternates were associated with keys to a specific device and required a different key to be used for each login instance while browsing the web. But Shikiar says this posed challenges when users lost possession of an authenticator or acquired a new device, prompting the FIDO Alliance to devise a new model that changes how private keys are accessed.
Grant says authentication vendors have historically not wanted to clone and export private keys because they were seen as a potential vulnerability. But over the past 18 months, the industry has realized that this assumption needs to be rethought since it would be nearly impossible to get anti-phishing authentication or mass deployment without exporting the keys to the cloud, where they can be adequately protected.
“By securely storing private keys in the cloud and then synchronizing them across devices, they make the idea of passwordless authentication significantly more usable for consumers and businesses,” Grant says. “You’re basically taking on and eliminating the biggest challenge that’s held back deployments over the years by managing this for consumers more easily.”
Google Chrome users can currently sign in without a password to certain websites like eBay, and the search giant always allows you to sign back in without a password, according to Sam Srinivas, Google’s PM director for authentication security and president of the FIDO Alliance. But today Google still requires a password when a user tries to sign in for the first time on a device, he says.
Srinivas says Google has done 70% of the work needed so customers can use FIDO authentication on a nearby mobile device to verify their identity during their first login instead of a password. New capabilities that allow for smoother and more secure password-free logins are expected to be available across Apple, Google and Microsoft over the next year, the FIDO Alliance reports.
If a user drops their phone in the toilet and has to buy a new one, Srinivas says Android can seamlessly restore passkeys from a secure online backup.
“As long as you can turn your phone on, you will always be ready,” says Srinivas. “You can just pick up from there and move on. And you’ll never lose your keys because the cloud has your keys.”
Get the password for the fans
Big companies like eBay, Best Buy and Wayfair have the technical infrastructure to support passwordless authentication on their own, but smaller or less sophisticated online retailers don’t have a sophisticated security or authentication infrastructure, so they end up defaulting to passwords the traffic . He says service providers will be able to rely entirely on device makers for authentication.
“They are not investing much in authentication and infrastructure today,” Srinivas says. “This is a much better way for them to authenticate their users by taking advantage of the proven security capabilities of these platforms. From a user point of view, the user experience will be more elegant. Basically it will be a password manager like experience, but issuing FIDO key pairs instead of passwords “.
Only 22% of organizations currently have multi-factor authentication, and Srinivas says the adoption of the FIDO Alliance standard by Apple, Google and Microsoft should make it easier for people to adopt strong authentication. Srinivas says CISOs in consumer-facing organizations will be happy to commit to the big OS providers because it will make multi-factor authentication more accessible to more people.
“I’ve talked to CISOs all the time in organizations that wanted to deploy FIDO but had some usability concerns, some scaling concerns, and some payback concerns,” says Srinivas. “This addresses all of those questions.”