Trading your password for your cellphone

Using passwords as a way to prove your identity online, though ubiquitous, has several downsides. For one, people forget passwords. And if passwords aren’t strong enough, they can be guessed by criminals.

Even then, attempts over the years to move away from passwords have struggled to catch on.

Last week, Apple, Google and Microsoft announced plans to work together on a “passwordless” authentication system for their various browsers, services and devices. The cross-platform collaboration is expected to start rolling out over the next year.

The companies say they will support Fast Identity Online (FIDO) protocols across their most commonly used products. I asked Kim Zetter, cybersecurity journalist and author, to explain how this particular type of authentication works.

The following is an edited transcript of our conversation.

Kim Zetter: The way it would work is it would essentially replace your password with your phone. So that instead of having to type in a password into a website form or an application form, you would authenticate yourself using what’s known as a “passkey,” inside your phone, that’s stored inside your phone securely.

Kimberly Adams: Now, some people do a version of this already, right?

Zetter: Yes. So Microsoft offers it for its users, I think, since about 2018. And there, there are millions of people who already use that to sign into Microsoft services. Google offered it, I think, beginning at around 2020, to get into your Gmail and things like that. So there are people who are already sort of familiar with this. The new innovation here is that you will be able to use a single device for everything, across platforms. So you would be able to use your Apple Watch in order to sign into a Google Chrome browser, on your Microsoft Windows laptop.

Adams: Ah, the mystical interoperability standards.

Zetter: [laughs] Yes, I mean, it’s all depending on how it all gets implemented. And it remains to be seen how seamless this all will be. We’ll see it as these companies roll it out over the next year. It’s very theoretical at this point, but it’s promising.

Adams: What is the key step, here, that serves as what we think of now as the password, the identifying factor that really proves it’s you and not somebody else?

Zetter: The difference here is that when you set up an account, you don’t use a password, you use your device, your phone. It will communicate with the website, and it will generate what’s called a private key and a public key. The public key gets distributed to that website, and the website will hold onto that public key. When you then want to sign in to your account, the public key on that website will reach out to the private key on the phone, and the private key will respond that it is you and it will then do the authentication, and it will log you right in. All you would have to do as a user at that point, is when you want to sign into that web account or to an application, you will simply authenticate yourself to your phone itself. So you’re authenticating locally, you’re not authenticating directly to the website. By simply typing in the pin to unlock your device, or using facial recognition or fingerprint, however you normally unlock your phone, that’s all you’ll be required to do at that point.

Adams: This seems to require [a user to rely] quite heavily on a smartphone. What happens if you don’t have one?

Zetter: Passwords won’t go away, for that reason — because not everyone has a mobile phone. This will be an alternative that, hopefully, people who do have mobile phones will migrate to. But for people who don’t have these devices, they’ll still be able to use passwords. The onus here is going to be on the website developers and application developers to implement the passwordless solution inside their systems, so that users who want to use the passwordless scheme can do so.

Adams: It feels like that might create sort of two versions of online security: the people who have smartphones and have access to this sort of higher-grade of secure passwords or passwordless interactions, and then everybody else.

Zetter: You could look at it that way. But you could also look at it as it actually reduces, drastically, the potential threat vector, or the threat landscape. Currently about 80% of hacks occur through either weak passwords or easily guessed passwords or stolen passwords. And so if you can reduce that down to even, let’s say, 40% or 30%, you’re going to reduce the number of hacking attempts we have. I mean, phishing attempts are one of the primary ways that hackers get in, not only to your your bank account, but also nation state actors getting into government systems, getting into corporate systems. So it really it’s attempting to reduce what now is a huge security problem. And it won’t eliminate it entirely. But the goal here is to really drastically reduce that landscape.

Related Links: More insight from Kimberly Adams

The formal announcement from the FIDO Alliance, Microsoft, Apple and Google has many more details on how this new system will work, including a white paper and a video explainer. The Verge has more coverage of the announcement, which came last week on World Password Day.

It’s kind of ironic, given the whole point is to eliminate passwords.

We’re also linking to a Verge article from 2014 about other failed attempts to kill the password.

But there’s a reason the tech industry keeps trying. The news site IT Pro Today reported on the SpyCloud 2022 Identity Exposure report, which found that 70% of breached passwords are still in use.

This means a lot of us still have terrible password hygiene.

Stories You Might Like

Passkeys versus passwords: Will we soon use biometrics for all logins?

Marketplace for Friday, September 23, 2016

12/20/17: Sexual harassment outside the spotlight

10/12/2017: A computer science "genius" on why we haven’t fixed cybersecurity

12/28/2017: A computer science "genius" on why we haven’t fixed cybersecurity (Replay)

02/06/17: How do you arrest an algorithm?