How Apple, Google and Microsoft will kill passwords and phishing in one fell swoop

Getty Images

For more than a decade, we’ve been promised that a world without passwords is fast approaching, yet year after year this security nirvana proves out of reach. Now, for the first time, a convenient form of passwordless authentication is about to be made available to the general public in the form of a standard adopted by Apple, Google and Microsoft that allows passwords. cross-platform and cross-service access.

Password killing schemes pushed in the past suffered from a host of problems. One of the major shortcomings was the lack of a viable recovery mechanism when someone lost control of phone numbers or physical tokens and phones linked to an account. Another limitation was that most solutions weren’t really passwordless after all. Instead, they gave users the option of logging in with a face scan or fingerprint, but these systems eventually fell back on a password, which meant that phishing, reuse of passwords passwords and forgotten passwords – all the reasons we hated passwords to begin with – haven’t gone away.

A new approach

What’s different this time is that Apple, Google, and Microsoft all seem to be on board with the same well-defined solution. Not only that, but the solution is easier than ever for users, and it’s less expensive to deploy for big services like Github and Facebook. It has also been carefully designed and reviewed by authentication and security experts.

A mockup of what authentication without a password will look like.
Enlarge / A mockup of what authentication without a password will look like.

FIDO Alliance

Current multi-factor authentication (MFA) methods have made significant progress over the past five years. Google, for example, lets me download an iOS or Android app that I use as a second factor when signing into my Google account from a new device. Based on CTAP – short for Client to Authenticator Protocol – this system uses Bluetooth to ensure that the phone is near the new device and that the new device is, in fact, connected to Google and not to a site posing as Google. That means it’s not phishing. The standard ensures that the cryptographic secret stored on the phone cannot be extracted.

Google also offers an advanced protection program that requires physical keys in the form of standalone dongles or end-user phones to authenticate logins from new devices.

The current big limitation is that MFA and passwordless authentication are deployed differently, if at all, by each service provider. Some providers, like most banks and financial services, still send one-time passwords via text or email. Recognizing that these are not secure means of transporting security-sensitive secrets, many services have moved to a method known as TOTP – short for Time-Based One-Time Password – to allow the addition of a second factor, which effectively augments the password with the “something I have” factor.

Physical security keys, TOTPs and, to a lesser extent, two-factor authentication via SMS and email are a big step forward, but three main limitations remain. First, TOTPs generated through authenticator apps and sent by SMS or email are phishable, just like regular passwords. Second, each service has its own closed MFA platform. This means that even when using non-phishable forms of MFA, such as standalone physical keys or phone-based keys, a user needs a separate key for Google, Microsoft, and all other Internet properties. To make matters worse, each operating system platform has different mechanisms for implementing MFA.

These issues give way to a third: outright unusability for most end users, and the significant cost and complexity that each service faces when trying to offer MFA authentication.

Comments are closed.