Today, Microsoft, Apple, and Google announced plans to support a common passwordless sign-in standard (known as passkeys) developed by the World Wide Web Consortium (W3C) and the FIDO Alliance.
Once implemented, these new Web Authentication (WebAuthn) credentials (aka FIDO credentials) will allow the three tech giants’ users to log in to their accounts without using a password.
Instead of using passwords, they will have the option to opt for verifying their identity using PINs or biometric authentication (fingerprint or face).
“To sign into a website on your computer, you’ll just need your phone nearby and you’ll simply be prompted to unlock it for access,” said Sampath Srinivas, Google PM Director for Secure Authentication.
“Even if you lose your phone, your passkeys will securely sync to your new phone from cloud backup, allowing you to pick up right where your old device left off.”
The new capabilities should become available across leading platforms, devices, websites, and apps operated by Microsoft, Apple, and Google platforms over the coming year.
FIDO passkey sign in (FIDO Alliance)
“These multi-device FIDO credentials, sometimes referred to as passkeys, represent a monumental step toward a world without passwords,” added Microsoft Identity Division Vice President Alex Simons.
When available, passkeys will remove the requirement of having to sign in to each app or website on every device, adding additional capabilities for more seamless passwordless sign-ins:
- Users can automatically access their passkeys on many of their devices without having to re-enroll for each account.
- With passkeys on your mobile device, you can sign in to an app or service on nearly any device, regardless of the platform or browser the device is running.
Moving away from using passwords to sign into accounts will make the web more secure since they’re the most common point of entry used by attackers to hijack online identities.
As Vasu Jakkal, Microsoft’s Corporate Vice President, Security, Compliance, Identity, and Management, revealed today, “there are 921 password attacks every second—nearly doubling in frequency over the past 12 months.”
Passwordless sign-in push
Of the three companies, Microsoft has been pushing for passwordless sign-ins across many of its platforms and services for several years now.
In December 2020, Microsoft reported that over 150 million users logged into their Azure Active Directory and Microsoft accounts without using passwords.
The company began rolling out passwordless login support for all Microsoft accounts in September, allowing its customers to log into their Microsoft accounts without using a password.
In October, the Microsoft Detection and Response Team (DART) said it detected an increase in password spray attacks targeting privileged cloud accounts and high-profile identities.
One year before, Simons revealed that password spray attacks were among the most popular authentication attacks, as they were behind over a third of enterprise account compromises.
“I applaud the commitment of our private sector partners to open standards that add flexibility for the service providers and a better user experience for customers,” said CISA Director Jen Easterly.
“Today is an important milestone in the security journey to encourage built-in security best practices and help us move beyond passwords.”