Honestly, I’m not the biggest fan of World Password Day. Such erratic labels for a day of the year don’t seem to make much of a difference to the general awareness of major security vulnerabilities for most users. I’m making an exception for 2022, though, as three tech giants used the focus of password day to announce a stunning security pact. Ironically, a pact that could see passwords phased out in everyday use for millions of people. Here’s what Apple, Google and Microsoft announced and why it matters.
Eliminate password friction to strengthen security
Anyone who has ever read my articles or watched the Forbes Straight Talking Cyber video series knows that I am not a big fan of passwords. Or rather, from the fact that they tend to encourage poor safety hygiene among users. Easy to remember and easy to guess, passwords are the order of the day for so many and, to make matters worse, they are subsequently used across multiple accounts, sites and services. I’ve always been evangelical about using password managers, but even these applications that make password usage less complicated while strengthening security are too much of a hassle for the majority. To get better security measures to impact the average user, they need to create as little friction as possible, be so easy to use that you hardly notice they are there. That’s why I’m also a fan of ‘passwordless’ systems and so excited about the stunning security pact between Apple, Google and Microsoft for 2022 and beyond.
Stunning Security Pact Between Apple, Google and Microsoft Unveiled
So, what have Apple, Google and Microsoft announced? In short, the three tech giants have agreed to make a concerted effort to “extend support for a common standard for passwordless logins”. What does that mean? Well let’s start with what it doesn’t mean and that’s all the immediate changes as these will probably be rolled out in the coming months and I wouldn’t be surprised at all if we talk more towards the end of the year before we get this vision of a passwordless future is becoming a reality on all three vendor platforms. What it does mean is a commitment to the FIDO (Fast ID Online) Alliance standards that uses mobile devices instead of passwords to authenticate apps and websites and do so cross-platform. This is important because you can sign in to a site or service on your ‘in range’ computer just by looking at your phone, scanning your fingerprint or entering a PIN.
Easier, stronger, cross-platform authentication for everyone
In this scenario, the smartphone acts as a secure key store. For example, if you use biometrics to access that key, in one simple move you get something you are (face or fingerprint scan) or something you know (a PIN) plus something you have (the smartphone). As I’ve mentioned, improving security requires user adoption, which means solutions should be as frictionless as possible. This checks that box. If you’re already used to Face ID on your iPhone, Windows Hello on your computer, and Microsoft Authenticator or Google asking for two-factor smartphone authentication, you’ll appreciate how easy this is. The latter already shows how this cross-platform passwordless technology works: you want to access a site or service using a Google Chrome browser on a Windows PC, and you can do it by confirming a prompt that appears on your iPhone. How cool and convenient is that?
Simpler security, more robust security
While the argument that putting all your authentication eggs in one basket, a smartphone-shaped basket, is actually safer than it sounds, there’s some mileage to the argument. At least for most people, most of the time. A threat actor only needs physical access to your device and your face/fingerprints or PIN to access your accounts or services. This is in no way impossible, no one would suggest it is, and there is also an argument that it makes access easier for law enforcement officers in certain circumstances. However, speaking of the average user, someone who probably doesn’t use the strongest passwords but is statistically likely to reuse them on sites and services, in my never humble opinion it’s a big step forward in secure authentication. †
What are the experts saying about this stunning security pact?
Jen Easterly, US President Cybersecurity and Infrastructure Security Agency CISA“The standards developed by the FIDO Alliance and the World Wide Web Consortium and led in practice by these innovative companies is the kind of forward thinking that will ultimately keep the American people safer online. I applaud the commitment of our private sector partners to open standards that add flexibility for service providers and a better user experience for customers.”
Jake Moore, Global Cybersecurity Advisor at ESET: “It is encouraging that Microsoft, Google and Apple are trying to pave the way to make access to accounts both secure and easy. This is not something that can be achieved overnight, but it highlights that there is more must be done when it comes to password protection Cyber criminals will inevitably try to get around by looking for ways to abuse this method as nothing remains hack proof but as with any early adoption of new technology it is a good start and we will probably see a decent version of this in the near future.”