Username-password combination is still widely used by web services and apps out there. But with the growing tech ecosystem, the future is passwordless.
Fast Identity Online (FIDO) Alliance is an open industry association that promotes passwordless authentication. The alliance has been seeking to replace password-only logins with secure and fast login experiences across websites and apps using the emerging standard 'WebAuthn'.
FIDO already has some members with big names such as Google, Microsoft, Samsung, Amazon, ARM, and Intel.
And here, Apple is finally joining the alliance.
Apple is already supporting its own passwordless authentication. For example, using methods like using Face ID and Touch ID, Apple users can use the biometrics authentication to authenticate, without having to type in anything. This is one of the reasons why Apple has always stayed a step away from the FIDO.
But with Apple joining the alliance, this is changing. And people should expect more support for password-free authentication in iOS and macOS devices.
With Apple joining the FIDO Alliance as a board member, FIDO's official website on the members web page has added the Apple logo, putting it together alongside tech companies like Amazon, Arm, Qualcomm, VMware, Facebook, Google, Intel, Microsoft, Yahoo! Japan and Samsung.
A number of big names in finance also on the list, including American Express, ING, Mastercard, PayPal, Visa, and Wells Fargo.
Apple in becoming member of the FIDO Alliance has been predicted.
Back in 2018, Apple's WebKit browser team added 'experimental support' for WebAuthn. Then in December 2019, Apple added native support for FIDO-compliant security keys, like the YubiKey, using the WebAuthn standard over near-field communication (NFC), USB, or Lightning in iOS 13.3.
While password is the popular used method for authentication, most security breaches happened because of people using poor and weak passwords.
Biometric authentication like Face ID and Touch ID can help, as do password managers. But in certain cases, users are still required to enter their passwords manually. For the fast-paced world that quickly develops, this is inconvenient.
Furthermore, Apple’s system is limited to its own devices.
The industry acknowledges this, and has been for years tried to kill passwords, and allowing people to login to their account regardless their device. WebAuth is a specification written by the W3C and FIDO. It utilizes application programming interface (API) to allow servers to register and authenticate users using public key cryptography instead of a password.
The method can use a hardware security key, like those from Yubico; a biometric ID derived from users' PC or smartphone's biometric sensor, or a device-based authentication program.
In other words, the alliance simply wants all manufacturers to sign up to its approach of using WebAuthn so users can authorize a login on an Android smartphone, Android tablet, Chromebook, Windows PC or any other trusted device.
The alliance promotes a number of protocols that help websites, apps, and devices with password-free authentication.
Its FIDO2 standards for example, are suited to verify credentials for web and mobile. Back in 2019, Google rolled out support for passwordless login for Chrome for Android using biometric authentication, by supporting FIDO2.
And its FIDO Universal Second Factor (FIDO U2F) standard provides a framework for NFC or specialized USB-based physical authentication keys such as Google’s Titan Key. For iOS and Mac users, YubiKey provides a solution with lightning and USB-C dual connector.
With Apple joining the crowd should be a good news, but people should not expect passwords to be completely eliminated just yet.
In one form or another, passwords have been employed since the dawn of civilization. However, with people having to store a lot of passwords for different services, passwords' limitations are being felt by not just cybersecurity and IT professionals but also by end users and non-tech people.
There may come a day when end users show a marked preference for online services that don’t require them to remember a password at all.
In the meantime, cybersecurity professionals and online services to be at least encouraging developers to develop and implement two-factor authentication as an alternative to passwords.