After years of tantalizing hints that a passwordless future is near, you probably still don’t feel any closer to that digital unleashing. After ten years of working on the problem, the FIDO Alliance, an industry association dedicated to secure authentication, believes it has finally found the missing piece of the puzzle.
On Thursday, the organization released a white paper outlining FIDO’s vision for solving the usability problems that haunted passwordless features and, ostensibly, prevented them from achieving widespread adoption. FIDO’s members teamed up to produce the paper, and they included chip makers such as Intel and Qualcomm, prominent platform developers such as Amazon and Meta, financial institutions such as American Express and Bank of America, and the developers of all the major operating systems – Google, Microsoft, and Apple.
The document is conceptual, not technical, but after years of investment to integrate so-called FIDO2 and WebAuthn passwordless standards into Windows, Android, iOS and more, everything now revolves around the success of this next step.
“The key to success for FIDO is being readily available – we need to be as ubiquitous as passwords,” said Andrew Shikiar, executive director of the FIDO Alliance. “Passwords are part of the DNA of the web itself, and we’re trying to replace that. Not using a password should be easier than using a password.”
In practice, even the most seamless passwordless schemes aren’t quite there. Part of the challenge simply lies in the sheer slowness that passwords have built up. Passwords are difficult to use and manage, prompting people to take shortcuts like reusing them across different accounts, and it creates security vulnerabilities at every turn. But in the end they are the devil you know. Educating consumers about passwordless alternatives and familiarizing them with the change has proven difficult.
However, in addition to acclimating people, FIDO tries to get to the heart of what still makes navigating passwordless schemes difficult. And the group has come to the conclusion that it all comes down to the procedure for switching or adding devices. For example, if the process of setting up a new phone is too complicated and there’s no easy way to sign in to all your apps and accounts, or if you need to fall back on passwords to recover ownership of those accounts, then the most users will conclude that changing the status quo is too much of a hassle.
The passwordless FIDO standard already relies on a device’s biometric scanners (or a master PIN you select) to authenticate you locally without your data going over the internet to a web server for validation. The main concept that FIDO believes will eventually solve the new device problem is that operating systems implement a “FIDO credential manager”, which is somewhat similar to a built-in password manager. Rather than literally storing passwords, this mechanism stores cryptographic keys that can be synced between devices and monitored by your device’s biometric or passcode lock.
At Apple’s Worldwide Developer Conference last summer, the company announced its own version of what FIDO describes, an iCloud feature known as “Passkeys in iCloud Keychain,” which Apple says is its “contribution to a world beyond the password.”