Is a Passwordless Future on the Way? What You Should Know About FIDO-Based Authentication
Passwords are a ubiquitous part of life online. But ironically, they're actually not that good at the one job they've been given, which is to protect our accounts so that only the right people can access them. Why? Well, the password user experience is horrible, so people take shortcuts by using and reusing overly simple passwords, making them susceptible to hacks.
Password managers help solve these problems—and you should be using one if you’re not already—but the goal has always been to come up with a better solution.
Since 2013, the FIDO ("Fast IDentity Online") Alliance has been working on standards and technologies that would do just that—allow a ubiquitous, passwordless, and phishing-resistant authentication experience without the need for any custom software or hardware. Could this finally be the solution we've all been waiting for?
What we had until now
FIDO’s work led to the World Wide Web Consortium (W3C) recommending a protocol called WebAuthn in 2019, which paved the way for passwordless authentication. As a result, all modern browsers are now able to handle FIDO-based authentication, using an authenticator built into the system or a hardware authenticator such as a YubiKey.
This form of authentication has been available for quite some time, but it has its drawbacks. For one thing, the keys are stored locally, either in a hardware key (e.g., a YubiKey) or as part of the system (e.g., TouchID on MacBooks or Windows Hello on Windows). For another, there’s no seamless way for this approach to work across platforms. While YubiKeys can be used across platforms, for example, the authenticators built into systems cannot.
What has changed in 2022
In March 2022, FIDO released a white paper that dropped some clues about what the three dominant platform companies—Apple, Microsoft, and Google—planned to introduce to turn passwordless authentication into a reality for millions. On World Password Day (May 5th), we got the answer.
FIDO and the three platform companies intend to solve the cross-platform issue holding back wider adoption of FIDO-based authentication with three new ideas:
- Link the desktop/laptop device to the mobile device via Bluetooth. The mobile device thus becomes the de facto FIDO authenticator, no matter if it's an Apple or Android mobile device and no matter which browser/desktop platform combination. This approach potentially solves the cross-platform authentication problem. For example, you’d be able to log into your Windows device with an iPhone.
- Create a seamless browsing experience that allows frictionless registration and login to websites through the existing WebAuthn flows.
- Store the WebAuthn private keys (now known as passkeys) in the cloud, based on the user's mobile device account (e.g., iCloud Keychain or Google account).
Is this a perfect solution?
While these new changes proposed by FIDO bring us closer to a passwordless future, they also bring up some questions that are not yet answered.
Who has the keys?
One of the main concerns is who owns and controls your actual private keys: Apple, Google, or Microsoft? Not everyone is ready to give their login access to these companies.
While the keys are backed up in their secure cloud area, your Apple, Google, or Microsoft account remains the main access point. Will these platforms provide recovery methods if you lose access to your account? Will you be able to recover access to your private keys? Will users trust the privacy and security of these platforms and expose themselves to even greater ecosystem lock-in?
When choosing an Identity Provider (IdP), whether it’s a Big Tech company or an independent one, you want to be careful about whether this provider can technically access your private information or not. Dashlane, for example, has been built with zero-knowledge architecture, so only you have access to your data—which gives our users peace of mind and confidence that their privacy and security are protected.
FIDO's current plan does not seem to provide a choice: the only options are the three dominant platforms because they control the standards, hardware, and software that make the solution work.
How does a website support FIDO authentication?
A website that allows its users to authenticate with a password has a pretty simple implementation to support. However, FIDO authentication requires a much more complex setup for the website. While we think many large tech companies will adopt this form of authentication because they can dedicate a team of engineers to the task, many smaller websites will not have that luxury.
We expect this cost to websites to decrease over time as adoption increases and more tools become available, and we expect people to rely on a mix of passkeys and passwords for the foreseeable future.
How can I share access?
Businesses rely on having safe ways to share credentials among their employees. With passwords, it's pretty easy to share access to an account (e.g. Twitter for marketing departments). We believe the ability to share passkeys will be crucial to the adoption of this new tool, and that password managers are perfect for this use case.
How to migrate from one operating system to another?
While you can use this technology on Android or iOS, it’s unclear what happens if you want to change from one to another. Will Apple let you transfer your keys to Google (Android)? This is one of our concerns; as promising as this technology is, we think users won’t want to be locked into one platform in order to benefit from it, and we don’t think they should have to be.
We’ve seen many announcements about a passwordless future, but when we’ll actually get to experience this future is still unknown. This announcement looks exciting, and even feasible—but there are still a lot of unanswered questions.
For a passwordless future to truly be viable, the standards need to be open; they can’t be controlled by the dominant platforms alone. Of particular concern is whether consumers will be required to store their passkeys with one of the big platforms, rather than having more control over their security and privacy. Consumer choice will be key to adoption, and an open ecosystem will lead to technical innovation—promoting a more secure, robust, and user-friendly experience.
Thanks! You're subscribed. Be on the lookout for updates straight to your inbox.