Apple, Google, Microsoft increase FIDO, W3C support to widen passwordless sign-in
Apple, Google and Microsoft will work together to accelerate acceptance of a passwordless sign-in standard set by the FIDO Alliance and the World Wide Web Consortium (W3C) for their devices and platforms.
On World Password Day, the companies said the changes will create a better experience and enable service providers to offer FIDO credentials without needing passwords as an alternative sign-in or account recovery method.
A Google blog post says a phone will hold a FIDO credential, or passkey, based on public-key encryption. The credential is shown to a locked site or app when a user unlocks their phone. Those working on a desktop computer will be notified to unlock their phones when they run into a gated site.
The credential is always in the cloud, so it will download to a new phone along with all other backed up data, according to Google.
Password-only authentication is one of the biggest security problems on the web. Constant reuse of passwords leads to account takeovers, data breaches and stolen identities.
While the three firms have supported FIDO standards for their passwordless authentication functions like face and fingerprint biometrics and PINs, the implementation has required users to sign into each site or app with every device before they can use passwordless functionality.
Now, the tech giants are enabling automatic access via FIDO sign-in credentials on multiple devices without having to re-enroll every account, and use FIDO authentication on mobile devices to sign into an app or site on a nearby device, regardless of OS platform or browser.
“Ubiquity and usability are critical to seeing multi-factor authentication adopted at scale, and we applaud Apple, Google and Microsoft for helping make this objective a reality,” says Andrew Shikiar, executive director and CMO of the FIDO Alliance.
There will be “a new wave of low-friction FIDO implementations alongside the ongoing and growing utilization of security keys — giving service providers a full range of options for deploying modern, phishing-resistant authentication,” Shikiar says.
In April, FIDO announced a new test window for experts seeking FIDO-certified authentication professionals to help organizations move beyond passwords.