Apple, Google, and Microsoft announced plans to expand support for a common passwordless sign-in standard developed by the FIDO Alliance and the World Wide Web Consortium to make the web more secure and usable for all. The new capability will enable websites and apps to provide consumers with consistent, safe, and simple passwordless sign-ins across devices and platforms.
Password-only authentication is one of the most severe security issues on the web. Managing so many passwords is inconvenient for consumers, leading them to reuse the same ones across services. This practice can result in costly account takeovers, data breaches, and even identity theft. While password managers and legacy forms of two-factor authentication provide incremental improvements, there has been industry-wide collaboration to develop more convenient and secure sign-in technology.
With the expanded standards-based capabilities, websites and apps will be able to provide an end-to-end passwordless option. Users will sign in using the same action to unlock their devices daily, such as simply verifying their fingerprint or face or a device PIN. This new approach protects against phishing, and sign-in will be significantly more secure than passwords and legacy multi-factor technologies such as one-time passcodes sent via SMS.
Passwordless Standard Support Expansion
Hundreds of technology companies and service providers worldwide collaborated with the FIDO Alliance and the World Wide Web Consortium to develop passwordless sign-in standards supported by billions of devices and all modern web browsers. Apple, Google, and Microsoft have spearheaded the development of this expanded set of capabilities, which are now being integrated into their respective platforms.
The platforms of these companies already support FIDO Alliance standards for passwordless sign-in on billions of industry-leading devices. Still, previous implementations required users to sign in to each website or app with each device before they could use passwordless functionality. With today’s announcement, these platform implementations are expanded to provide users with two new capabilities for more seamless and secure passwordless sign-ins:
Allow users to automatically access their FIDO sign-in credentials (known as a “passkey” by some) on many of their devices, including new ones, without reenrolling in each account.
Allow users to sign in to an app or website on a nearby device using FIDO authentication on their mobile device, regardless of the OS platform or browser they are using.
In addition to improving user experience, widespread adoption of this standards-based approach will enable service providers to offer FIDO credentials as an alternative sign-in or account recovery method.
These new features are expected to be available across Apple, Google, and Microsoft platforms in the coming year.
“‘Simpler, stronger authentication is not only the tagline of the FIDO Alliance; it is also a guiding principle for our specifications and deployment guidelines.” “We applaud Apple, Google, and Microsoft for committing to support this user-friendly innovation in their platforms and products, which is critical to seeing multi-factor authentication adopted at scale,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “This new capability is expected to usher in a new wave of low-friction FIDO implementations and the ongoing and growing use of security keys, providing service providers with a full range of options for deploying modern, phishing-resistant authentication.”
“The standards developed by the FIDO Alliance and World Wide Web Consortium, and being implemented by these forward-thinking companies, are the type of forward-thinking thinking that will ultimately keep the American people safer online.” “I applaud our private sector partners’ commitment to open standards that increase flexibility for service providers and provide a better user experience for customers,” said Jen Easterly, Director of the US Cybersecurity and Infrastructure Security Agency. “At CISA, we are working to improve the cybersecurity of all Americans.” Today marks a significant turning point in the security journey, encouraging built-in security best practices and assisting us in moving beyond passwords. Cyber is a team sport, and we’re excited to keep working together.”
“We design our products to be intuitive and capable, but we also design them private and secure,” said Kurt Knight, Senior Director of Platform Product Marketing at Apple. “Collaborating with the industry to establish new, more secure sign-in methods that offer better protection and eliminate password vulnerabilities is central to our commitment to building products that offer maximum security and a transparent user experience to keep users’ personal information safe.”
“This milestone is a testament to the industry’s collaborative work to increase security and eliminate outdated password-based authentication,” said Mark Risher, Senior Director of Product Management at Google. “It represents nearly a decade of work by Google and FIDO as part of our ongoing innovation toward a passwordless future.” We are excited to make FIDO-based technology available across Chrome, ChromeOS, Android, and other platforms. We encourage app and website developers to use it so that people worldwide can safely avoid the risk and hassle of passwords.”
“The transition to a password-free world will begin with consumers making it a natural part of their lives.” “Any viable solution must be safer, easier, and faster than passwords and legacy multi-factor authentication methods used today,” says Alex Simons, Microsoft’s Corporate Vice President of Identity Program Management. “By collaborating across platforms as a community, we can finally realize this vision and make significant progress toward eliminating passwords.” We believe that FIDO-based credentials have a bright future in consumer and enterprise scenarios, and we will continue to expand support across Microsoft apps and services.”