Apple, Google, Microsoft announce commitment to 'passwordless' future

Posted:
in General Discussion
Security body FIDO has received new backing from Apple, Google, and Microsoft, with the tech companies all announcing that they are expanding support for the alliance's passwordless sign-in standard.

Revealed at WWDC 2021, Apple's Passkey plans appear to fit with the aims of the FIDO alliance's new announcement
Revealed at WWDC 2021, Apple's Passkey plans appear to fit with the aims of the FIDO alliance's new announcement


Following its joining of the FIDO -- Fast Identity Online -- alliance in 2020, Apple has now announced its extended support for the group's technology and goals. In a joint statement from FIDO, Apple, Google, and Microsoft, seen by AppleInsider, the alliance aims to allow websites and apps to offer secure and simple sign-ins without using passwords.

"Just as we design our products to be intuitive and capable," said Apple senior director of platform product marketing, Kurt Knight, in the statement, "we also design them to be private and secure."

"Working with the industry to establish new, more secure sign-in methods that offer better protection and eliminate the vulnerabilities of passwords is central to our commitment to building products that offer maximum security and a transparent user experience," continued Knight, "all with the goal of keeping users' personal information safe."

FIDO maintains that password authentication is one of the biggest security problems, from how reused passwords mean a breach in one service, can expose others. It also argues that managing passwords is cumbersome for consumers, and that its standard would allow for a secure passwordless option.

"Users will sign in through the same action that they take multiple times each day to unlock their devices," says the alliance, "such as a simple verification of their fingerprint or face, or a device PIN."

It's not immediately clear how falling back to a device PIN would be more secure than a properly configured password, however. Most iPhone device PINs are four or six numbers, and currently it takes an extra step to make it longer or alphanumeric.

The approach does, though, tie in with Apple's own proposed passkey feature, previously announced at WWDC 2021. This is intended to mimic hardware security keys, but use iCloud Keychain instead of physical devices.

The Developer session from WWDC 2021, "Move beyond passwords," is available to view. So far, though, Apple has introduced initial support for its passkey technology in iOS 15.4.

There is no expected release date for the new features on any platform. The group's statement says that Apple, Google, and Microsoft will implement the features "over the course of the coming year."

The most likely roll-out for new features for Apple is at WWDC 2022, with a release in the fall, alongside the new iPhones.

Read on AppleInsider
«1

Comments

  • Reply 1 of 26

    It's not immediately clear how falling back to a device PIN would be more secure than a properly configured password, however.

    The reason it’s more secure is because there are multiple factors - the device (something you have), and the PIN (something you know) or biometric - face, or finger (something you are).  No one is suggesting we replace passwords with PINs, they’re saying a device AND a PIN - or some other factor. 
    edited May 2022 Alex1Ntwokatmewlolliverjony0
  • Reply 2 of 26
    rob53rob53 Posts: 3,091member

    It's not immediately clear how falling back to a device PIN would be more secure than a properly configured password, however.

    The reason it’s more secure is because there are multiple factors - the device (something you have), and the PIN (something you know) or biometric - face, or finger (something you are).  No one is suggesting we replace passwords with PINs, they’re saying a device AND a PIN - or some other factor. 
    Standard two-factor authentication, which has been in use for decades. Apple Card already has the second factor built in with their rotating CCV. I used the standard RSA rotating token for years. I still call these password systems. Most websites are using the text msg/email second “password” so it’s not that big of a deal. What worries me is how convoluted this group will make it so it fits into each of their existing products, like AD (ugh!).
    Alex1Nscstrrf
  • Reply 3 of 26
    Fred257Fred257 Posts: 212member
    I’m currently locked out of my own Gmail account because I forgot my password.

    I do not have notifications on messages so Google kept sending me messages in my phone (without telling me) and my account is frozen for 48 hours.

    I will be getting rid of all Gmail accounts because of this.
    williamlondonlolliverwatto_cobra
  • Reply 4 of 26
    mike1mike1 Posts: 3,135member
    rob53 said:

    It's not immediately clear how falling back to a device PIN would be more secure than a properly configured password, however.

    The reason it’s more secure is because there are multiple factors - the device (something you have), and the PIN (something you know) or biometric - face, or finger (something you are).  No one is suggesting we replace passwords with PINs, they’re saying a device AND a PIN - or some other factor. 
    Standard two-factor authentication, which has been in use for decades. Apple Card already has the second factor built in with their rotating CCV. I used the standard RSA rotating token for years. I still call these password systems. Most websites are using the text msg/email second “password” so it’s not that big of a deal. What worries me is how convoluted this group will make it so it fits into each of their existing products, like AD (ugh!).
    Interesting. My CCV has never changed since I got my Apple Card. I know there is an option to force a new card #, but nothing automatic.

    watto_cobra
  • Reply 5 of 26
    I’m fine with password management for now and really have no issues with it. What I’d prefer is not having to provide an email address everywhere and then get unwanted junk e-mail. I use hide my email but that’s still something I have to manage. 

    Still, maybe this is a step in that direction. I’m curious to see where it goes. 

    mike1 said:
    rob53 said:

    It's not immediately clear how falling back to a device PIN would be more secure than a properly configured password, however.

    The reason it’s more secure is because there are multiple factors - the device (something you have), and the PIN (something you know) or biometric - face, or finger (something you are).  No one is suggesting we replace passwords with PINs, they’re saying a device AND a PIN - or some other factor. 
    Standard two-factor authentication, which has been in use for decades. Apple Card already has the second factor built in with their rotating CCV. I used the standard RSA rotating token for years. I still call these password systems. Most websites are using the text msg/email second “password” so it’s not that big of a deal. What worries me is how convoluted this group will make it so it fits into each of their existing products, like AD (ugh!).
    Interesting. My CCV has never changed since I got my Apple Card. I know there is an option to force a new card #, but nothing automatic.

    You need to turn on Advanced Fraud Protection to get rotating CCVs. You’ll find that by tapping on the little credit card icon in the upper right corner when in the Apple Card details view. 
    rob53scstrrfwelshdogmike1cornchipMplsPlolliverwatto_cobra
  • Reply 6 of 26
    9secondkox29secondkox2 Posts: 1,588member
    A pin is basically a password. 

    Everything else is tying your activities directly to you. 

    Don’t like where this is going. 
    cornchipwatto_cobra
  • Reply 7 of 26
    rob53rob53 Posts: 3,091member
    I’m fine with password management for now and really have no issues with it. What I’d prefer is not having to provide an email address everywhere and then get unwanted junk e-mail. I use hide my email but that’s still something I have to manage. 

    Still, maybe this is a step in that direction. I’m curious to see where it goes. 

    mike1 said:
    rob53 said:

    It's not immediately clear how falling back to a device PIN would be more secure than a properly configured password, however.

    The reason it’s more secure is because there are multiple factors - the device (something you have), and the PIN (something you know) or biometric - face, or finger (something you are).  No one is suggesting we replace passwords with PINs, they’re saying a device AND a PIN - or some other factor. 
    Standard two-factor authentication, which has been in use for decades. Apple Card already has the second factor built in with their rotating CCV. I used the standard RSA rotating token for years. I still call these password systems. Most websites are using the text msg/email second “password” so it’s not that big of a deal. What worries me is how convoluted this group will make it so it fits into each of their existing products, like AD (ugh!).
    Interesting. My CCV has never changed since I got my Apple Card. I know there is an option to force a new card #, but nothing automatic.

    You need to turn on Advanced Fraud Protection to get rotating CCVs. You’ll find that by tapping on the little credit card icon in the upper right corner when in the Apple Card details view. 
    I also noticed Apple uses two different last four digit numbers for merchants to use. Apple already has the basis for all kinds of secure two or three or four factor authentication (iPhone, iPad, watch, rotating PIN number, etc). I really don’t care about other systems simply because they (Windows) has so much garbage built into it that it will never be secure. I reference the latest Outlook server bug. Reminds me of the macro bugs Microsoft is infamous for. 
    lolliverwatto_cobra
  • Reply 8 of 26
    lkrupplkrupp Posts: 10,341member
    As Forrest Gump’s Mother said, “Stupid is as stupid does.” Any security method that requires a single brain cell of awareness or action by a human being will be compromised eventually. It is the human condition. Just like human interface engineers have been trying for decades to make computers easy to use by the masses... they can’t and never will. There’s just too much stupid in the world. I mean just look at reply #3 in this thread.
    appleinsiderusermacplusplus
  • Reply 9 of 26
    xyzzy-xxxxyzzy-xxx Posts: 139member
    Apple uses iCloud to synchronize login data between devices – I don't like this !
    williamlondon
  • Reply 10 of 26
    crowleycrowley Posts: 10,453member
    xyzzy-xxx said:
    Apple uses iCloud to synchronize login data between devices – I don't like this !
    Turn it off then.
    lolliverwatto_cobra
  • Reply 11 of 26
    DAalsethDAalseth Posts: 2,583member
    Almost 20 years ago I did a platform presentation at the University where I worked on this very subject. I was trying to make the argument that passwords were obsolete. No one coud remember strong ones, and the ones they did use were not strong. I wanted a third option. At the time most in the IT group I was presenting to just said “use a password manager” and didn’t pay attention to the rest. I’m glad to see that the powers that be have come around to realizing that passwords are just not good enough any more. We need a new, more secure, third option.

    I hope this takes hold and changes the whole landscape.
    edited May 2022 lolliverStrangeDayswatto_cobra
  • Reply 12 of 26
    AppleInsider said:
    It's not immediately clear how falling back to a device PIN would be more secure than a properly configured password, however. Most iPhone device PINs are four or six numbers, and currently it takes an extra step to make it longer or alphanumeric.
    This is literally the standard for enterprise and DoD security. This is really no different than Okta Verify, Duo, Google Authenticator, Microsoft Authenticator, or any of the other true MFA systems.
    StrangeDayswatto_cobra
  • Reply 13 of 26
    DAalsethDAalseth Posts: 2,583member
    A pin is basically a password. 

    Everything else is tying your activities directly to you. 

    Don’t like where this is going. 
    20 years ago we were using something called Password Key. It was a stick with a six digit PIN on it. But the thing was, the PIN changed every minute to another random PIN. The server and the stick used the same algorithm and the same clock so the server knew what the pin had to be to log in. Every stick had a different algorithm and the stick was tied to my ID. It was very secure. I'm sure this is something along those lines, only 20 years more advanced. 20 years more secure.
    Really this is a very good thing. 
    lolliverwatto_cobra
  • Reply 14 of 26
    robin huberrobin huber Posts: 3,724member
    Yes please. Am sick of password hell. But thought biometrics would be the solution. 
    williamlondonwatto_cobra
  • Reply 15 of 26
    bulk001bulk001 Posts: 716member
    Fred257 said:
    I’m currently locked out of my own Gmail account because I forgot my password.

    I do not have notifications on messages so Google kept sending me messages in my phone (without telling me) and my account is frozen for 48 hours.

    I will be getting rid of all Gmail accounts because of this.
    So you forgot your password, don’t use a password manager and don’t have alerts setup on your phone and it is googles problem that they are keeping your account secure. What do you want? They to post your password on a public forum or something. Sound like it your issue, not Googles!
    williamlondonmwhite
  • Reply 16 of 26

    It's not immediately clear how falling back to a device PIN would be more secure than a properly configured password, however.

    The reason it’s more secure is because there are multiple factors - the device (something you have), and the PIN (something you know) or biometric - face, or finger (something you are).  No one is suggesting we replace passwords with PINs, they’re saying a device AND a PIN - or some other factor. 
    Is that true? I don't know if you will need to enroll a new device before using it. But either way, this is a dramatic improvement over passwords because it will prevent them from ever being transmitted. Like Kerberos or public-key SSH, no secret will be transmitted between server and client.

    Among other benefits, that means that there will be no compromises due to shared/reused passwords exposed by compromised sites. We see customers fall victim to that every week.
    A pin is basically a password. 

    Everything else is tying your activities directly to you. 

    Don’t like where this is going. 
    Yeah... no. I sympathize with your distaste for tracking, but you need to learn a lot more if you're going to have a meaningful opinion. As I said above, device PINs (while they have issues as well) are NOT the same as passwords.
    StrangeDays9secondkox2watto_cobra
  • Reply 17 of 26
    slurpyslurpy Posts: 5,362member
    If you actually use Apple products and take advantage of  features such as iCloud Keychain, Sign In with Apple, auto generating passwords, Touch ID / Face ID, then you’re already in a passworldless present. I haven’t had to memorize or note down or enter a password for ages. Apple’s ecosystem takes care of that brilliantly and securely. 
    StrangeDayswatto_cobra
  • Reply 18 of 26
    JustSomeGuy1JustSomeGuy1 Posts: 306member
    DAalseth said:
    A pin is basically a password. 

    Everything else is tying your activities directly to you. 

    Don’t like where this is going. 
    20 years ago we were using something called Password Key. It was a stick with a six digit PIN on it. But the thing was, the PIN changed every minute to another random PIN. The server and the stick used the same algorithm and the same clock so the server knew what the pin had to be to log in. Every stick had a different algorithm and the stick was tied to my ID. It was very secure. I'm sure this is something along those lines, only 20 years more advanced. 20 years more secure.
    Really this is a very good thing. 
    I'm pretty sure the algorithm was always the same. Seeds were different.
    DAalsethwatto_cobra
  • Reply 19 of 26
    StrangeDaysStrangeDays Posts: 12,325member
    It's not immediately clear how falling back to a device PIN would be more secure than a properly configured password, however. Most iPhone device PINs are four or six numbers, and currently it takes an extra step to make it longer or alphanumeric.
    My current client is the federal government. On our laptops we've replaced our Windows user passwords for PIV cards + PIN. The PIV is something we have, the PIN is something we know. Once logged in, single-sign-on in many of the applications we use. This system is pretty straight-forward and easier to use. Shell was another client and they did the same, so it seems to be a solid enterprise solution.
    watto_cobra
  • Reply 20 of 26
    9secondkox29secondkox2 Posts: 1,588member

    It's not immediately clear how falling back to a device PIN would be more secure than a properly configured password, however.

    The reason it’s more secure is because there are multiple factors - the device (something you have), and the PIN (something you know) or biometric - face, or finger (something you are).  No one is suggesting we replace passwords with PINs, they’re saying a device AND a PIN - or some other factor. 
    Is that true? I don't know if you will need to enroll a new device before using it. But either way, this is a dramatic improvement over passwords because it will prevent them from ever being transmitted. Like Kerberos or public-key SSH, no secret will be transmitted between server and client.

    Among other benefits, that means that there will be no compromises due to shared/reused passwords exposed by compromised sites. We see customers fall victim to that every week.
    A pin is basically a password. 

    Everything else is tying your activities directly to you. 

    Don’t like where this is going. 
    Yeah... no. I sympathize with your distaste for tracking, but you need to learn a lot more if you're going to have a meaningful opinion. As I said above, device PINs (while they have issues as well) are NOT the same as passwords.
    For all intents and purposes, PIN works just like a password. You enter a code and you gain access. The process and result are the same, whether a credit card, a device, a login, etc. 

    To eliminate. passwords, they must invade your privacy in order to authenticate. Already, the two-factor authentication, while more secure, is a way to track your logins to you using your phone number - or email address, which is also increasingly being verified by your phone number.
    watto_cobra
Sign In or Register to comment.