A group of technology companies including Apple Inc., Alphabet Inc.
Google and Microsoft Corp.
says it’s one step closer to eliminating what many people call one of the worst parts of the Internet experience: passwords.
The Fast Identity Online Alliance has been working for nearly a decade on a system that allows users to log into their online accounts simply by using the unlock mechanisms on their smartphones or computers. Rather than sending a password over a network susceptible to outside interference, users connect a public “key”, which resides on the account service provider’s server, to a private key, which cannot be deleted. of their device.
Previous versions of the group’s system still required users of new devices to enter passwords for each account before they could go passwordless. Now, he says he’s found a way to allow users to immediately log into online accounts with their faces, fingerprints and PINs, even on brand new devices.
The update “means that users no longer need passwords,” said a white paper from the alliance, known as FIDO for short. “When they switch between devices, their FIDO credentials are already there, ready to use.”
The alliance, which represents more than 250 members, has been trying to reduce reliance on passwords since 2013, when six companies, including PayPal Holdings Inc.
and Lenovo Group ltd.
have come together to develop a new, more secure industry standard for online authentication.
Passwords not only create friction on the information highway, critics have long complained about, but real frustration and even abandoned accounts when consumers forget their secret codes. They also leave users, businesses, and other organizations vulnerable to hackers and other malicious actors.
Security solutions such as two-factor authentication, in which users typically complete passwords with push notifications or codes sent by apps or text messages, have their own drawbacks. Many people seem reluctant to sign up.
“Even though we know in 2022 that passwords are inherently insecure and create many problems, getting people to secure them is still a challenge,” said Merritt Maxim, the company’s vice president and chief research officer. research Forrester Research Inc., where he specializes. in safety and risk.
Passwords are “the cockroaches of the internet”, Mr. Maxim said – irritating, hardy and worth taking the time to kill.
Some companies have developed passwordless options using FIDO standards.
Last September, Microsoft began allowing consumers to sign in to their accounts with the company’s authentication app and software, physical security keys that plug into computer ports, or passwords. SMS and email verification, rather than passwords.
And when a user logs into eBay,
the company detects if a user’s device supports FIDO. If so, a pop-up window asks them if they want to enroll in passwordless authentication using password, PIN, face recognition or fingerprint. his device. Those who accept are then prompted to use this method on subsequent logins – no account password is required.
EBay said login completion rates have improved since the introduction of FIDO technology in 2020, and acceptance rates were higher than for text-based two-factor authentication.
But a completely password-free world is still a long way off, said Forrester’s Maxim. FIDO’s vision is based primarily on account holders having their own connected devices, which is not true for all users around the world, he said. And while the system doesn’t share users’ biometrics with account service providers, some privacy-conscious users may be hesitant to use their face and fingerprints to unlock everything, he said.
The alliance tested the language, icons and information that people feel most comfortable with enabling FIDO, said Andrew Shikiar, group chief executive and chief marketing officer.
“People have to adapt to go from what they know – just typing in passwords – to something they know how to do, but don’t really log in,” Shikiar said.
Some apps already allow users to override entering their passwords with their device unlocking mechanisms, enabling a “passwordless” user behavior. But those apps still transmit passwords behind the scenes, leaving accounts vulnerable to hacking, Shikiar said. FIDO, on the other hand, does not send any human-readable information, including passwords, over networks when users turn it on, he said.
The alliance has also introduced workarounds for people who use shared devices. The updated technology allows users to turn their phones into authenticators that can log into accounts on computers via Bluetooth, which would allow users to access passwordless accounts on a library computer, for example.
But if the user can’t use their phone or doesn’t have one, the login experience will likely remain as it is today, Shikiar said.
“But let’s remember that getting rid of passwords is a journey, not a sprint,” he added.
Write to Katie Deighton at [email protected]
Copyright ©2022 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8