Big Tech will soon deploy passwordless login technology

On May 5, technology giants including Apple, Google and Microsoft made a joint announcement, pledging to support passwordless login with all mobile devices, computers and integrated browser platforms. incorporated in its products.

The new technology will be available on Android and iOS, Chrome, Edge and Safari browsers, as well as desktop devices running Windows and macOS operating systems.

This cross-platform feature is supported by a standard called FIDO, which uses principles based on public encryption keys for passwordless authentication and multi-factor authentication in a variety of contexts.

The user’s phone can contain a unique FIDO key and share that code with a website for authentication only when the phone is unlocked. According to Google, this passcode can easily be synced to a new device via cloud backup in case the phone is lost.

“In addition to designing products to be intuitive and efficient, we’re also focused on product privacy and safety,” said Kurt Knight, senior manager of marketing platforms at Apple. know. “Working with industry players to build new login methods that provide maximum security and a transparent user experience is at the heart of our commitment to keeping user information safe.” .

The passwordless login process allows users to choose their phone as the primary authentication device for apps, websites, and other digital services.

The default phone unlock operation, such as entering a PIN, drawing a pattern or using a fingerprint, is enough to log in to use web services without having to type in a password. The technology works by using unique message encryption, also known as a pass key, that is shared between the phone and the website.

Easier but safer

The idea of ​​implementing login right on a physical device allows users to benefit from simplicity but still ensure security. Without a password, users are not required to remember login details or risk using the same password across different platforms.

Similarly, a passwordless system makes it difficult for hackers to penetrate remotely because access to the physical device is required. Theoretically, phishing attacks that direct users to a fake website asking for a password would be difficult to perform.

Vasu Jakkal, Microsoft Vice President of Security, Compliance, Identity, and Privacy highlights the level of cross-platform compatibility. “With the keys on the user’s mobile device, they can log in to an app or service on virtually any device regardless of what operating system or browser it’s running on,” Jakkal said. “For example, a user can sign in to the Google Chrome browser running on Microsoft Windows using the passcode on an Apple device.”

Although many popular applications already support this authentication technology, users are still forced to log in with a password (first login) to customize FIDO, making them still vulnerable to FIDO attacks. phishing attacks where passwords can be tampered with or stolen in the process.

According to Sampath Srinivas, Product Management Manager for Secure Authentication at Google and president of the FIDO Alliance, the new processes will eliminate the initial requirement for a password.

“The FIDO support expansion effort announced today will make it possible for websites, for the first time, to deploy an end-to-end passwordless experience with security against online phishing,” said Srinivas. “This includes both initial logins to the site as well as subsequent visits. As key cryptography becomes ubiquitous in 2022 and 2023, we will finally have the Internet for a truly passwordless future.”

While not giving a specific roadmap, Apple, Google and Microsoft all said that they expect the new sign-in technology to be universal on all platforms by next year.

Vinh Ngo (According to TheVerge)