After years of teasing hints that a password-free future is just around the corner, you probably don’t feel any closer to that digital release just yet. Ten years into the matter, however, the FIDO Alliance, an industry association that specifically works on secure authentication, believes it has finally identified the missing piece of the puzzle.
On Thursday, the organization published a white paper that lays out FIDO’s vision for solving the usability problems that have hampered passwordless features and appear to have prevented them from achieving widespread adoption. FIDO members collaborated on the paper and include chipmakers such as Intel and Qualcomm, prominent platform developers such as Amazon and Meta, financial institutions such as American Express and Bank of America, and the developers of all the major operating systems – Google, Microsoft and Apple .
The document is conceptual, not technical, but after years of investment to integrate what are known as the passwordless FIDO2 and WebAuthn standards into Windows, Android, iOS and more, everything now depends on the success of this next step.
“The key to the success of FIDO is to be easily accessible – we need to be as ubiquitous as passwords,” said Andrew Shikiar, executive director of the FIDO Alliance. “Passwords are part of the DNA of the web itself, and we’re trying to displace that. Not using a password should be easier than using a password.
In practice, however, even the most hassle-free passwordless schemes are not there. Part of the challenge simply lies in the huge inert passwords that have accumulated. Passwords are difficult to use and manage, leading people to take shortcuts like reusing them across accounts and creating security issues at every turn. At the end of the day though, they are the devil you know. Educating users about passwordless alternatives and getting them comfortable with the change has proven difficult.
Beyond simply acclimating people, however, FIDO seeks to get to the heart of what still makes passwordless schemes difficult to navigate. And the group concluded that it all comes down to the procedure of switching or adding devices. If the process of setting up, say, a new phone is too complicated and there’s no easy way to get into all your apps and accounts — or if you have to go back to passwords to regain ownership of those accounts — then most users will lock , that changing the status quo is too difficult.
The password-free FIDO standard now relies on the device’s biometric scanners (or the Master PIN of your choice) to authenticate you locally without your data traveling over the Internet to a web server for verification. The main concept that FIDO believes will eventually solve the new device problem is for operating systems to implement a “FIDO credential” manager, which is somewhat similar to a built-in password manager. Instead of literally storing passwords, this mechanism will store cryptographic keys that can be synced between devices and are protected by a biometric or password lock on your device.
At Apple’s Worldwide Developers Conference last summer, the company announced its own version of what FIDO describes, an iCloud feature known as “Passwords in iCloud Keychain,” which Apple says is its “contribution to the post-password world.”
