Goodbye To Passwords?

It’s difficult to get Google, Apple, and Microsoft to agree on much. The three tech giants are all fierce rivals of each other and compete on software and hardware products every day of every week of the year. There is one thing they agree on, though, and that’s that passwords are no longer sufficient when it comes to keeping data secure on the internet. They want to make passwords a thing of the past and move on to a new way of doing things. In fact, they feel so passionate about it that they’ve teamed up together to announce the launch of a major FIDO passkey technology rollout. They couldn’t have picked a better time to announce their Avengers-style partnership, as the announcement came on May 5^th.

Most people probably aren’t aware of this, but May 5^th is World Password Day. If these three companies have their way, it might be the last World Password Day ever.

In a joint pact, Microsoft, Apple, and Google have committed to building a passwordless sign-in mechanism across all of their desktop, mobile, and browser platforms within the next twelve months. In practice, that covers almost every software platform and browser that people use regularly.

It also means that phones will become all-important when it comes to proving the identity of a person who wants to access an account or a piece of information on the internet. Without passwords, phones become authentication devices.

To prove that someone is who they say they are, they’ll be asked to verify their identity by entering their screen lock code on their phone or, alternatively, using a fingerprint or face ID. Once the user’s identity is verified, a cryptographic passkey token is sent to the website, and the sign-in process is permitted to complete.

The reasoning behind this is simple. The three companies believe that passwords are too vulnerable and no longer fit for purpose. While tech companies have spent the past twenty years telling us that we need to choose better passwords, most people don’t take any notice.

There are all too many passwords out there based on people’s names, spouses, pets, schools, preferred sports teams, children’s names or other guessable combinations. In 2021 it was reported that more than fifteen billion stolen passwords are freely available on the “dark web.” That’s two passwords for every human being living on Earth, and you can rest assured that at least one of your old passwords for an account you’ve forgotten about is listed there somewhere. It might not ever be used, but that doesn’t mean it isn’t available.

Many people make the incorrect assumption that nobody would be interested in hacking them because they don’t have much money or any valuable information worth hacking them for. Those people forget that hackers don’t know who’s got what until they’ve hacked them. The motivation and methodology of a hacker are very similar to that of someone who spends hours playing online slots games at casino websites. They know that most of their spins are going to cost them time and money and achieve nothing, but they keep doing it because they know that they’ll eventually hit the jackpot and walk away from the casino in profit. The wilier of those players use a website like sistersite.co.uk to work out which casinos and casino networks are most likely to offer them that profitable return. The masses of passwords available on the dark web – and in other places – are the equivalent of a casino sister site guide for hackers. They let hackers know what might be available, and it’s then down to the hackers to try all the combinations until they find a door worth opening.

Microsoft, Apple and Google hope that customers and web users are so accustomed to using their phones regularly that being asked to confirm logins on their mobile devices won’t be a barrier to them. They also hope that people will appreciate the conveniences of such a method once they become accustomed to it. Using a phone as a validation tool means that there’s no longer a need to remember different passwords across multiple websites and platforms. Additionally, it means that the risk of accidentally compromising multiple accounts by using the same password in more than one place no longer exists. While there’s no such thing as a hack-proof method, it would be far harder for a hacker to remotely acquire login details without access to the phone of the person they’re targeting. Hacking a phone is still a lot harder than hacking a computer is. If all goes well and this plan works out, phishing attacks could become a thing of the past. Nobody would enter a password on a spoofed website because they would have no password to enter.

While the idea of these three companies working together might seem unprecedented, the reality is that their technologies have worked hand in hand for a long time. Plenty of people reading this article right now will be doing so through a Google Chrome browser on a device with an operating system provided by Apple or Microsoft. You could even be using Chrome on a Microsoft Operating system while using an Apple phone to verify your identity. The platforms and devices already work together – this new alliance is merely a recognition of that.

As great as the new plan sounds, there’s an obvious issue with it. If somebody loses their phone, they could be locked out of their social media accounts, their bank account, and everything else they log into regularly. According to Google, though, this isn’t as big an issue as it might first appear. Passkeys are stored in cloud backups, so when a new device is acquired to replace one that’s lost, the passkeys can be re-synced to the new device from the backup in the cloud. The owner of the new phone would presumably somehow have to prove their identity without access to any of those passkeys, but we assume that issue has already been thought about and planned for. We’ll find out more about that when further details are provided later in the year ahead of a planned rollout across the entire technology industry before the end of 2023.