Google, Apple and Microsoft want to kill passwords: what future do they suggest

Like Apple, Google and Microsoft turn off passwords Instead, they suggest generally using the FIDO system, or “Quick identification online”, which does not use passwords but physical “keys”.

This system, instead of a long string of characters, asks the application or website where you are logging in. to send a verification request over the phone. From there, the phone must be unlocked, authenticated using some type of pin or biometric, to proceed with the login process.

There are also devices that connect through USB or via NFC, that is, by proximity (such as when we put the SUBE card in the turnstile reader), called FIDO keys. Experts have long recommended these as a secondary authentication factor to access our accounts: with password and FIDO key for supported services, such as Windows, Google or social networks.

The NGO FIDO, with more than 250 members between companies and government, defines certification standards based on physical equipment. The alliance said Thursday that it is working with three companies to start offering password-free technology for websites and apps.

Instead of using a foul login password, apps and websites can identify who you are using a fingerprint reader, scanner facial or even on your phone. In this way, major operating system vendors want to “expand support for a common password-free login standard created by the FIDO Alliance and World Wide Web Consortium“.

Some 2FA push systems work on the Internet, but this new FIDO scheme works with Bluetooth. As the white paper explained, “Bluetooth requires physical proximitywhich means we already have a phishing-resistant way to tap into the phone of the user during authentication“.

Many companies have been trying to do without passwords for years, but achieving this is not an easy thing. Google has a full timeline in its blog post from 2008 where it provides details.

The password problem

Passwords are a very old way of accessing services, not just online, but historically in general. Their problem is linked to a saying: easier for the user, less security. And the higher the security, the lower the availability.

This means that if a password is too easy to remember it will become insecure. And if another key has a lot of characters, is long, uses uppercase and lowercase letters and symbols, it will be very secure. but, who remembers these formulas?

The point is that passwords work well if they are long, random, secret, and unique, but the human element of passwords is always a problem: we are not good at memorizing long, random strings of characters.

Users are often tempted to write down easy passwords to remember them, but this is an invitation to be hacked.

There’s the practicality of fido keys, in addition to their security: while applications like Google Authenticator ask us to enter the 6-digit code we need to find on the cell phone, the key offers more direct way to access.

Of course, always after entering the password: if the FIDO key is stolenwith this they can do nothing because they will need a password that only we know.

For this reason, the FIDO system emerges as a viable alternative to passwords and their vulnerabilities.