You’ve heard passwordless logins are coming. But what is FIDO? And why is it important?

Apple, Google, and Microsoft recently pledged to support a common standard for passwordless logins to make the web a safer place for everyone. The standard they champion (called FIDO) works by using the same technology we use to unlock our devices every day – like using a PIN, fingerprint or facial recognition; only now this action will help us to log in to websites and apps. It’s not only simpler, but the FIDO standards used make identity management (opens in a new tab) cryptographically secure, easy and consistent systems across devices and websites.

The recent announcement that Apple, Google and Microsoft will expand their support for passwordless login standards created by the FIDO Alliance and the World Wide Web Consortium is a huge step forward for the industry and sets the stage for new many service providers to hit the road. or no password.

If you think that sounds like a big deal, it is. And it’s been years since not just these three tech companies, but an entire industry, come together to reduce the global reliance on passwords. Let’s take a deeper dive into the FIDO Alliance, its standards, support, and the future of passwordless.

What is the FIDO Alliance?

The FIDO (Fast Identity Online) Alliance was publicly launched in 2013 to create standards and adopt stronger and easier authentication technology compared to usernames, passwords and other legacy methods of logging in to online services.

While it’s a huge victory that the three biggest platforms in the world – Apple, Google and Microsoft – are championing FIDO, they are not the only driving force behind the FIDO Alliance and are working with hundreds of companies around the world to simplify, stronger authentication a reality.

FIDO Alliance members include the world’s largest technology platforms such as Apple, Google and Microsoft; those in the financial world such as Visa, Mastercard and JCB; consumer device players like Samsung and Huawei; social networks like Meta and Twitter; retailers like Amazon and eBay; governments and consultants; and hardware and software vendors (big and small!) like HID, IDEMIA, and Thales, and more.

The participation of all these stakeholders from several vertical sectors in the creation and adoption activities of the FIDO Alliance standards is paying off. Today, FIDO standards are supported by billions of devices and all modern web browsers, hundreds of products are FIDO certified, and major service providers like Amazon, eBay, and Microsoft already offer FIDO for sign-in.

Why is FIDO important?

Ultimately, anything still underpinned by a password has a level of insecurity, as it is centrally stored and can be shared. FIDO, on the other hand, leverages device-based authentication with public key cryptography. As such, FIDO credentials are phishing-resistant, meaning they simply cannot be shared or compromised in the same way or on the same scale as passwords.

Password-only authentication is one of the biggest security issues on the web. And not only that, managing the number of passwords that are required of us in our modern lives is tedious and almost impossible to do efficiently. As a result, consumers routinely reuse the same passwords across services, a practice that leaves them highly vulnerable to costly account takeovers, data breaches, and even stolen identities.

There were nearly 2,000 data breaches in 2021 according to the Identity Theft Resource Center’s Annual Data Breach Report, representing a 68% increase in breaches in 2020. When each breach occurs, emails (opens in a new tab) and passwords associated with online accounts are also often leaked, meaning consumer credentials end up on the dark web and are vulnerable to phishing scams or identity theft (opens in a new tab).

The most common passwords on the dark web? You could probably guess them, which helps me make my other point that, in addition to reusing passwords, easily guessable passwords still are by far the most common. That’s right: 123456, 123456789, azerty, password, and Abc123 all rank in the top ten.

While password managers (opens in a new tab) and older forms of two-factor authentication (opens in a new tab) offer incremental improvements, these are increasingly at risk, while posing a major inconvenience to consumers. One-time passcodes sent by SMS, for example, are still phishing and can be compromised – there are even hacker toolkits available on the web to help you do this.

The power of passwordless – what’s next for FIDO?

We talked about FIDO’s broad industry backing and support across all major operating systems and browsers, so what’s the latest from the Alliance, Apple, Google and Microsoft and what does this mean for the future of passwordless?

What the three companies announced is expanded support for FIDO standards, to provide users with two new features for more seamless and secure passwordless logins:

  1. Users can automatically access their FIDO login credentials (also known as “access keys”) on many of their devices, even new ones, without having to re-enroll each account.
  2. Users can use FIDO authentication on their mobile device to log into an app or website on a nearby device, regardless of the operating system platform or browser they are running.

These new features aim to deliver a significantly improved login experience and an invaluable step towards making passwordless a daily reality for consumers. For service providers, they can offer FIDO logins without the need for passwords as an alternative method of login or account recovery, helping them become truly password-free. We are expected to see a new wave of low-friction FIDO implementations, alongside the continued and growing use of high-assurance FIDO security keys, giving service providers the power and a full range of options for deploying modern, phishing-resistant authentication.

This is yet another step on the way to using less and less passwords. And after? We’re not there yet – we need to see these capabilities come to market, service providers offer them, and consumers start using them. But the future looks bright – and perhaps not yet ‘passwordless’, but certainly with ‘fewer’ passwords.

We have listed the best free password managers (opens in a new tab).

Comments are closed.