Google, Microsoft, and Apple commit to passwordless sign-in standard
Google, Microsoft, and Apple have announced support to expand passwordless sign-in support across major operating systems and devices. The three companies announced plans on May 5, 2022 to support a passwordless login standard, created by the FIDO Alliance and the World Wide Web Consortium.
The current passwordless login is specific to certain operating systems or services. Microsoft introduced support for passwordless accounts in 2021 and support for passwordless logins almost five years ago.
Customers can configure the online feature to use the company’s Authenticator app, Windows Hello, or other authentication options, to sign in to their accounts across Windows devices and Microsoft services. The company claims that more than 240 million customers log into their accounts without using a password each month.
According to the company, more than 330,000 customers have completely removed their Microsoft account password in the last six months.
Simpler and Stronger Authentication is not only the slogan of the FIDO Alliance, but has also been a guiding principle for our specifications and implementation guidelines. Ubiquity and usability are critical for multi-factor authentication to be adopted at scale, and we applaud Apple, Google and Microsoft for helping make this a reality by pledging to support this user-friendly innovation across their platforms and products,” said Andrew Shikiar. , CEO and CMO of the FIDO Alliance.
The enhanced standard bridges the gap between different operating systems, devices, applications, and services so that websites, services, and applications can offer “consistent, secure, and easy password-less logins for consumers across devices.” and platforms,” according to the announcement.
Passwords are “one of the most common entry points for attackers” according to Vasu Jakkal, corporate vice president of security, compliance, identity and governance at Microsoft. Password attacks have almost doubled in the last 12 months according to Microsoft.
Two-factor authentication mechanisms help protect accounts by blocking 99.9% of all attacks according to a Microsoft study. While attackers can steal user passwords, for example through phishing attacks, brute force attacks, or malware, two-factor authentication blocks account access until a secondary form of authentication is complete. Authenticator apps can be used for that, but also other means.
Passwordless login systems go a step further by removing passwords from accounts. Users use the same authentication options that they use for two-factor authentication, for example, an authenticator app, security key, Windows Hello, or codes that are sent to mobile devices or email accounts, but without having to provide a password.
The expanded standard gives websites and applications the option to offer end-to-end passwordless login options for their users and customers. With the new system enabled on their mobile devices, users will use the same verification methods to sign in to apps or services that they regularly use on their devices. They can enter their PIN or use biometric authentication options, if supported by the device.
Apple, Google, and Microsoft are expected to introduce support for the expanded standard in 2023.
The benefits of the new passwordless standard
The new passwordless standard has been created by the FIDO Alliance and W3C. It is backed by Microsoft, Google, and Apple, who will be adding support to their platforms. The three companies have “led the development of the extended set of capabilities” to extend what is already supported.
The main advantage of the extended standard is that it adds additional capabilities that significantly improve the experience:
- Users can use the authentication option provided by FIDO on their mobile devices to log in to any app, website, or nearby device, regardless of the operating system or browser being used.
- Access FIDO login credentials on any device owned by a particular user “without having to re-enroll each account.”
The FIDO Alliance notes that the new standard is “radically more secure compared to passwords and legacy multi-factor technologies such as one-time passcodes sent via SMS.” When Internet companies began introducing two-factor authentication options about a decade ago, many relied on insecure delivery channels, including email or SMS, for the secondary authentication code. While still more secure than password logins, these insecure channels could still be exploited by dedicated attackers.
The introduction of authentication apps, like Microsoft Authenticator or Authy, has eliminated that risk. The codes were created by the applications locally without any network activity.
The expanded standard that will be available in 2023 offers the same benefits, plus cross-device and cross-platform compatibility. The user’s biometric information, which is used for authentication to sites, applications and services, is only available locally. The passkey information can be synced between devices, again without any platform limitations, as long as the platform itself supports the extended standard.
It has been difficult in the past to install and use some authentication apps on multiple devices; the new standard will make it easier and improve the experience for users who lose access to their devices or switch to other devices.
Microsoft’s Windows Hello authentication system supports passkey logins on all sites that already support the functionality. Soon, Apple and Google device owners will be able to use access keys to sign in to Microsoft accounts.
Password removal eliminates attacks that aim to steal account passwords. Phishing attacks often target user passwords and authentication information, but without a password and password authentication, attackers run into brick walls when trying to steal data that doesn’t exist.
Microsoft announced new passwordless login capabilities this week:
- Passwordless support is now available for Windows 365, Azure Virtual Desktop, and Virtual Desktop Infrastructure in Windows 11 Insider Preview builds. Microsoft plans to roll out support for Windows 10 and 11 in the near future.
- Microsoft Authenticator supports multiple accounts without a password for Auire AD. The new functionality will be rolled out to iOS devices in May 2022 and to Android devices later this year.
- Windows Hello for Business Cloud Trust improves the deployment experience for hybrid environments according to Microsoft.
- Temporary Access Pass in Azure AD has been in public preview for some time. The update enables users to use the feature to sign in for the first time, set up Windows Hello, and join a device to Azure AD.
Cross-platform and cross-device support for the passwordless login standard will make it more attractive to users by removing the hassle of juggling different passwordless authentication options if using different platforms.
It remains to be seen how the three major players will implement support and how well everything will work once support has been introduced on all three platforms.
Now you: Do you use two-factor authentication or passwordless logins?