Passwords? Who wants to use a password? You always forget your passwords, they force you to tax your memory and spell everything correctly. Yuck. Nobody wants a password. Ok, ok. Yes, this is based on the late Steve Jobs’ comment about the stylus on that now-famous January day in 2007 when he introduced the iPhone.
FIDO Alliance working on a replacement for the use of passwords
Actually, in 2FA, a text is sent to your handset that contains a code that you type into the app or website and this verifies that you are who you say you are because no one but you would ever have your phone (note the sarcasm). Well, that is the theory that 2FA is based on. But FIDO has a goal to replace passwords using cryptographic keys. When the phone owner unlocks his device whether by using a fingerprint scanner, facial recognition, or a passcode, he will be asked to sign in using a “passkey.”
As the FIDO Alliance says, “During registration with an online service, the user’s client device creates a new key pair. It retains the private key and registers the public key with the online service. Authentication is done by the client device proving possession of the private key to the service by signing a challenge.” The “passkey” is stored on your device and the cloud sync service associated with the operating system that your phone uses.
According to strings of code discovered by 9to5Google in the latest version of Google Play services (version 22.15.14), Android users’ “passkeys” will be saved to their Google account as suggested by these strings:
- Hello passkeys, goodbye passwords
- Passkeys provide better protection than passwords u2013 and theyu2019re safely saved in your Google Account.
To be honest, this won’t deliver us the password-free world that we all aspire to see. That’s because the very first time you open an app or a website on your mobile browser, you will need to know the password for your Google Account or Apple ID (Oh yes, did we fail to tell you that Apple is also a member of the FIDO Alliance?)
But that info would only be needed the first time you open an app after installing it, or when setting up a new phone. As the FIDO Alliance wrote in a white paper last month, “Just like password managers do with passwords, the underlying OS platform will “sync” the cryptographic keys that belong to a FIDO credential from device to device.”
FIDO added that “This means that the security and availability of a user’s synced credential depends on the security of the underlying OS platform’s (Google’s, Apple’s, Microsoft’s, etc.) authentication mechanism for their online accounts, and on the security method for reinstating access when all (old) devices were lost.”
Based on the wording of the string, Google will be heavily promoting and making a big deal about “passkeys,” hoping that many Android users decide to give it a go as a replacement for their passwords.
- Amazon.
- American Express.
- Apple.
- Bank of America.
- CVS Health.
- Egis.
- Feitian.
- Google.
- Intel.
- Lenovo.
- Meta.
- Microsoft.
- Qualcomm.
- Samsung.
