Passwordless Authentication is Entering the Mainstream
In May 2022, three tech giants who have traditionally been engaged in friendly competition with one another came together and announced that they would be doing something that has been in the works for quite a few years – they are going to kill the password. For a very long time, passwords seemed like the only logical way of protecting one’s devices and accounts – it is a form of authentication that has been in use for centuries in one way or another. But Microsoft, Google, and Apple are coming together to ensure that passwordless authentication becomes widely available on all platforms by the end of 2023, at the very latest.
Passwordless authentication is something that has been growing in popularity for quite some time. One company we spoke to, TechQuarters, which provides IT support services London companies use, felt that passwordless authentication is a worthwhile trend that will give their customers, as well as organisations and individuals around the world, much better security assurances.
Earlier this month, the senior director for platform product marketing at Apple spoke about passwordless authentication. “Just as we design our products to be intuitive and capable, we also design them to be private and secure,” said Kurt Knight. “Working with the industry to establish new, more secure sign-in methods that offer better protection and eliminate the vulnerabilities of passwords is central to our commitment to building products that offer maximum security and a transparent user experience — all with the goal of keeping users’ personal information safe.”
What is Passwordless Authentication?
The way in which traditional authentication works is shockingly unsecure – just a single layer of authentication. With passwords being used to gain access to things like online email clients and websites, that means users are transmitting their passwords over the internet – which is a perfect opportunity for them to be intercepted. This is why passwordless authentication is considered a more secure option, it adds an element of physical security to authentication that is much harder to circumvent if you are a hacker or a cybercriminal.
Passwordless authentication stands on the principle that a user will have an authentication device that they use to access their devices and their accounts. The most common and suitable authentication device for the average person would be their smartphone – the user’s smartphone can store a form of unique cryptographic token known as a passkey, which gets shared between the smartphone, and whichever device or digital service that user is accessing. The sharing of that passkey is what authenticates the access.
As mentioned above, this adds an element of physical security to authentication attempts – because the device or digital service in question cannot be accessed if the user is not in possession of the unique authentication device (e.g. their phone), they will not be able to authenticate themselves. What is more, the passkey used to authenticate can only be shared when the phone being used is unlocked.
Passwordless Authentication Availability
“With passkeys on your mobile device, you’re able to sign in to an app or service on nearly any device, regardless of the platform or browser the device is running,” said Vasu Jakkal, who is the vice president of security, compliance, identity, and privacy at Microsoft. “Users can sign in on a Google Chrome browser that’s running on Microsoft Windows—using a passkey on an Apple device.”
This is the type of widespread availability that the three tech giants – Microsoft, Apple, and Google – want to have implemented throughout the tech industry. It is their belief that the industry – and society as a whole – will not benefit from the added security of passwordless authentication if it isn’t available across all their devices.
As well as this, there is a common flaw that has been identified in current passwordless authentication technology: The fact that, in order to set it up, users need to use a password to access the device or digital service. Unfortunately, that initial password-based authentication is more than enough to compromise an account – as we mentioned earlier, transmitting your password over servers to authenticate an account gives hackers an opportunity to steal the said password.
The way in which Microsoft, Apple, and Google are planning to make passwordless authentication widely available is through an authentication standard known as FIDO – a protocol that uses public key cryptography to enable both multi-factor and passwordless authentication. This technology also enables digital services to support passwordless first-time authentication. This means that, rather than having to sign in to an account and then set up passwordless authentication, you never have to rely on a password, and can therefore guarantee end-to-end passwordless security. This is something that many tech companies are excited about – for instance, the IT support services in London-based providers give to their customers will be able to guarantee much higher security across all devices and digital services.