If Microsoft, Google and Apple have anything to do about it, a password-free world is within reach over the next couple of years. With device hacking and security breaches continuing to pose huge issues with broad financial and long-term productivity consequences, unshackling users from passwords would have a “manna from heaven” reaction from users of all stripes. But will we see this in our lifetimes?
Before I delve into last week’s Microsoft, Google and Apple announcement, it’s helpful to understand why more progress hasn’t been made on this front. Various approaches to gut passwords from the technology landscape have suffered numerous challenges. First of all, there are complexity problems coming up with a realistic recovery mechanism when a user loses access to a phone number (or a physical token) tied to a specific account. Another common problem was that the majority of solutions promulgated proved to be not genuinely passwordless, meaning that users were often given the ability to log on with a biometrics-based fingerprint or face scan, but only in concert with using a traditional password. Apple macOS and Microsoft Windows are excellent examples of this approach, but there are others.
The core problem is that passwords are difficult to remember, must often change regularly to heighten their effectiveness, and are susceptible to phishing.
What’s different about the approach that Apple, Google and Microsoft have announced?
Right off the battle, Apple, Google, and Microsoft’s plan is attractive because it’s cross-platform and cross-service (from a passkeys standpoint) in nature. It also represents the first time the three browser titans appear to be on the same page with an aligned, well-articulated plan. There are also ease of use benefits that will make it less painful and costly for companies like Facebook and most prominent services to implement. The Apple, Microsoft, and Google plan also has a quasi-Good Housekeeping element of approval as it’s been peer-reviewed by authorities in security and authentication. This last attribute instantly raises the credibility of the initiative.
Apple and Google’s participation in this initiative is particularly critical given their collective smartphone market share position and ability to influence other companies. After the company joined the FIDO (Fast Identity Online) Alliance in 2020, Apple, Google and Microsoft issued a joint statement that the alliance is focused on permitting websites to provide secure and basic sign-ins without utilizing passwords.
The plan that Apple, Google and Microsoft are getting behind aims to put significant structure around the current disorder of MFA (Multi-Factor Authentication) services in several meaningful ways. This plan is a huge step forward as MFA and service providers’ passwordless authentication is often released in dissimilar ways (and sometimes not at all). Users are quite familiar with how most banks and financial institutions send out one-time passwords via SMS text messages or emails. The problem with this current method is that it’s not a secure way of transporting security-sensitive secrets.
By delivering a fingerprint or facial scan to the device, a user will be able to log on without entering a password, which is dramatically faster and certainly more convenient. Of equal importance is that the security credential can be stored online so that it’s accessible when an individual replaces or loses their smartphone, which solves the problem I outlined at the onset. This approach operates by using an existing authenticated device to download the required credential without the need for a password.
Why is this so important?
The implications of what Apple, Google, and Microsoft are trying to accomplish via their FIDO Alliance participation cannot be overestimated. Earlier this year, the FIDO Alliance released an official white paper, but getting the most influential browser makers to support the overall approach outlined above is enormous.
Let’s face it — — character-based passwords have been part of the computer industry for decades. Getting rid of passwords is a complicated, convoluted endeavor because they’ve been the traditional way for users to identify themselves on the internet for years. Unfortunately, human nature makes it difficult for users to give up the “comfy” and accustomed way of logging onto a website, regardless of the security risks. IBM estimates the average cost to a business of a single data breach is $3.86 million, so something clearly needs to be done.
Beyond the potential savings in security breach costs and peace of mind benefits, I relish the day when secured computing truly becomes a passwordless experience in a cross-platform and multi-device manner. Speaking for myself, I never want to remember and type @%fs@#$@823! ever again. And I don’t think I’m the only one.
Mark Vena is the CEO and Principal Analyst at SmartTech Research based in Silicon Valley. As a technology industry veteran for over 25 years, Mark covers many consumer tech topics, including PCs, smartphones, smart home, connected health, security, PC and console gaming, and streaming entertainment solutions. Mark has held senior marketing and business leadership positions at Compaq, Dell, Alienware, Synaptics, Sling Media and Neato Robotics. Mark has appeared on CNBC, NBC News, ABC News, Business Today, The Discovery Channel and other media outlets. Mark’s analysis and commentary have appeared on Forbes.com and other well-known business news and research sites. His comments about the consumer tech space have repeatedly appeared in The Wall Street Journal, The New York Times, USA Today, TechNewsWorld and other news publications.
SmartTech Research, like all research and tech industry analyst firms, provides or has provided paid services to technology companies. These services include research, analysis, advising, consulting, benchmarking, acquisition or speaking sponsorships. Companies mentioned in this article may have utilized these services.
