Question of the FortnightQuestion of the Fortnight
10
THE FACTS
25 May – 7 June 2022 • Issue 632- Apple, Google and
Microsoft have jointly
announced plans to
introduce passwordless
systems for signing into
accounts - It means you’ll be able to
log into any platform run
by the firms simply by
unlocking your phone - If you lose your phone,
you’ll be able to recover
your method of signing in
from another device
Soon you won’t have to remember your login or type two-factor codes
Is your phone about to
become your new password?
Y
our phone can already
replace your address
book, your debit card,
your camera and your watch.
Soon it will also be able to
replace all your passwords.
To sign into websites and
accounts you’ll just need
to unlock your phone,
whether by typing a PIN or
using a biometric method
such as facial recognition or
your fingerprint.
This is the ‘passwordless’
future promoted by Apple,
Google and Microsoft, and
supported by technology
groups FIDO (Fast Identity
Online) Alliance and the
World Wide Web Consortium
(W3C) who for years have
been calling for firms to adopt
a universal login standard.
Getting these three tech giantson board was vital because
they own the world’s biggest
operating systems (iOS, Android,
macOS, Windows) and browsers
(Safari, Chrome, Edge).
FIDO acknowledges that the
rise of password managers and
two-factor authentication
(2FA) has made “incremental
improvements” to our safety
when signing in, but says the
new measures provide a more
“consistent, secure and easy”
way to access your accounts.
Let’s examine each aspect of
that claim. The consistency
argument is supported by the
range of platforms that willwork with passwordless
logins. A single action for
signing into systems as diverse
as iOS, Chrome and Windows
is welcome. And by signing
into different systems you’re
also signing into different
devices – your Android phone
and Windows laptop, for
example.
FIDO makes it look easy inthe illustration above: use
your fingerprint to sign into
your phone, and the action is
replicated on your laptop. If
you lose your phone, just use
another device to reactivate
your method of logging in.
As for security, it’s as strong
as you could hope for. When
you sign into your phone it
shares a unique cryptographic
token called a passkey with
your online accounts. Also, as
no-one is sending you a code
to type, there’s no information
that a scammer could steal
from you in a phishing attack.
FIDO president SampathSrinivas calls this an
“end-to-end passwordless
experience with phishing-
resistant security”.
Which brings us to ease of
use. In FIDO’s world,
everyone has a smartphone
and treats it as an essential
part of everyday life. If that
applies to you, then using
your phone as a gateway for
all your accounts makes sense.
Apple, Google and Microsoft
already run passwordless
systems, but they work
independently of each other.
Using a master system that
comprises all three companies
has clear benefits.
But not everybody lives in
FIDO’s world. Many people
use basic (or ‘dumb’) phones
that won’t work with
passwordless systems. They
already feel alienated by
organisations such as banks
and the NHS demanding a
smartphone to perform vital
tasks. Also, will there be a
psychological barrier to
passwordless logins? Typing a
password can feel reassuring
and some may baulk at handing
this responsibility to their phone.
That said, others will be
attracted to the idea of never
again having to type a 2FAcode, particularly if they’re
plagued by poor connections
and often don’t receive their
codes in time to sign in.
Passwordless systems might
give people a good reason
swap their dumb phone for a
smarter model.
The first passwordless logins
are expected to appear by the
end of the year, but only when
all three companies have
launched their systems will
we know whether they deliver
on their ambitious promise.
Plenty of problems could still
arise, so don’t ditch your
passwords just yet.As no-one is sending you a code
to type, there’s no information that a
scammer could steal from you