Apple, Google, and Microsoft to Work Together on Passwordless Logins

Posted on May 5, 2022 by Laurent Giret in Apple, Cloud, Google, Microsoft with 9 Comments

On World Password Day, Apple, Google, and Microsoft announced that they will be expanding support for the passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. The three companies have already implemented support for passwordless sign-ins on their various platforms, but they’re now committed to making this experience more seamless for users.

The first new capability that Apple, Google, and Microsoft are planning to implement on their platforms is enabling users to use FIDO authentication on their mobile device to sign in to an app or website, regardless of the platform. The second new capability will allow users to automatically access their FIDO sign-in credentials on all of their devices without having to re-enroll every account on each of them.

“The expanded standards-based capabilities will give websites and apps the ability to offer an end-to-end passwordless option. Users will sign in through the same action that they take multiple times each day to unlock their devices, such as a simple verification of their fingerprint or face, or a device PIN. This new approach protects against phishing and sign-in will be radically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes sent over SMS,” the FIDO Alliance explained.

Apple, Google, and Microsoft are planning to implement these enhanced passwordless features on their platforms “over the course of the coming year.” Abandoning passwords should be a big step forward for security, even though it probably isn’t going to be as easy and obvious as it seems for most people.

Tagged with , , , , ,

Join the discussion!

BECOME A THURROTT MEMBER:

Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Register
Comments (9)

9 responses to “Apple, Google, and Microsoft to Work Together on Passwordless Logins”

  1. red.radar

    I like Passwords.... makes sharing accounts easy.....but I don't like it for the exact same reason.

  2. truerock2

    OK... well it is as easy as it would seem... for users.


    It's hard to get all of the vendors to cooperate with each other.


    If you work for a large corporation with "single sign-on" you know what this is.


    The most important issue is securing the private keys... especially the backups. Especially at remote locations not connected to the internet.

    • mikegalos

      Having been an architect on converting a proprietary group of sign ons at a well known global corporation to an SSO system for both internal and external users I can tell you it's not easy but it is absolutely worth doing.

      • truerock2

        I'll repeat...


        not hard for the user... unless they do something like lose the device they store their private keys on


        hard for you

  3. mikegalos

    Great news. Passwords time is long past and anyone still counting on them is relying on security theater and security by obscurity rather than actually being secure. The easier it is to eliminate them altogether the better for everyone.


    Of course, until then, a minimum of n-Factor and biometric in addition makes some sense and even using federated logins makes more sense than each site keeping their own vulnerable username/password database. (Hint, Paul)


  4. bluvg

    Weird, my comment shows up in one browser but not another, and the comment count is one off, so I'll try re-posting (without a formatted link to a Microsoft blog):


    Microsoft claims their commitment to this (which is a great goal), but in actual practice, the commitment seems tepid. For example, they claim to support FIDO for Windows login, but... they have broken it more than once, and left it broken for months. And you need line of sight to a DC. And you're more or less on your own when it doesn't work--troubleshooting tools are near-nonexistent, as well as actual support when it doesn't work (the poor soul responding to issues isn't on the product team: https: // techcommunity.microsoft.com/t5/core-infrastructure-and-security/how-to-password-less-fido2-security-key-sign-in-to-windows-10/ba-p/1434583).


    So if you had deployed this, Windows login for your company would have been broken for a few months. That's how seriously Microsoft seems to treat actual implementation of these grand passwordless announcements.

  5. ross cooling

    Steve Gibson (grc.com) of Security Now on TWIT solved this years ago with SQRL (Secure Quick Reliable Login) https://www.grc.com/sqrl/sqrl.htm

    • truerock2

      The problem was solved when public/private key encryption was invented.


      Getting everyone to use a unified implementation is extremely difficult.


      Steve Gibson got too wound up about QR codes. That isn't relevant now that almost everyone who wants to logon to something has a mobile smart phone.

      • compunut

        SQRL moved QR codes to optional not far into the development. SQRL was well thought out and extremely useful... if it would just be adopted by vendors. Instead, they want to squabble over other standards that aren't as good but give them more control.