Big Tech plans to kill off passwords altogether. What next?

Big Tech behemoths Apple, Google and Microsoft have announced plans to kill off passwords.

The tech giants revealed on Thursday – which, coincidentally, happens to be World Password Day – a commitment to support a new, common passwordless sign-in standard across all their platforms and devices.

Passwordless sign-in may already be familiar to iPhone or Android users, who can use facial scans or fingerprints to authenticate payments and sign in to apps.

Thursday’s announcement means that the same principle could soon be applied across major platforms including Android and iOS devices, Windows and MacOS computers and Internet browsers.

“Users will sign in through the same action that they take multiple times each day to unlock their devices, such as a simple verification of their fingerprint or face, or a device PIN,” the FIDO Alliance, an industry association that co-developed the common passwordless sign-in standard said.

“This new approach protects against phishing and sign-in will be radically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes sent over SMS,” it said.

“To sign into a website on your computer, you’ll just need your phone nearby and you’ll simply be prompted to unlock it for access,” Google secure authentication product manager and FIDO Alliance president Sampath Srinivas wrote in a blog announcing the move on Thursday.

“Once you’ve done this, you won’t need your phone again and you can sign in by just unlocking your computer,” he added.

What’s wrong with passwords?

Most of us have an ever-expanding number of different accounts for apps and online services, and that’s part of what makes passwords less secure, argue Apple, Google and Microsoft.

“Managing so many passwords is cumbersome for consumers, which often leads consumers to reuse the same ones across services,” the companies said in a shared statement.

In theory, passwordless sign-in gets around this problem as well as threats like phishing attacks and data breaches, by tying login credentials to a combination of a physical device and a user’s unique attribute – like a facial scan or a fingerprint.

Using biometric logins like fingerprints and facial scans will be “radically more secure,” the companies saidLukenn Sabellano / Unsplash

The process works like this: when a user signs up for a service, it sends a request to their device, which they approve the same way they unlock the device. Doing this generates a “passkey” that is stored on the device and a public key that is sent to the service.

The next time the service sends a sign-in request to the device, the user’s facial scan or fingerprint unlocks the passkey, which is then matched with the public key, granting access.

Although doing this means that login credentials become linked to specific devices, losing your phone will not leave you unable to access your accounts, Srinivas claimed.

“Even if you lose your phone, your passkeys will securely sync to your new phone from cloud backup, allowing you to pick up right where your old device left off,” he said.

Passwordless sign–up

While Apple, Google and Microsoft already support passwordless sign-in, Thursday’s announcement signals an expansion of those capabilities.

Currently, users need to first access a service using a password before they are able to activate a passwordless sign-in method, but by the end of this year, users may be able to sign up to services without using a password from the first time they log in.

The companies’ commitment also means that users will be able to sign into an app or website using a nearby mobile device, no matter which operating system or browser they are using, the FIDO Alliance said.