Passwordless (Premium)

Apple, Google, and Microsoft recently announced that they would all support a common passwordless sign-in standard. That’s cute, but of the three, only Microsoft has truly embraced passwordless sign-ins. Apple and Google have a lot more work to do. A lot more.

User authentication is, as Microsoft would say, a hard computer science problem. Platform makers like Apple, Google, and Microsoft need to supply sophisticated and secure means for signing into accounts that are backed by two-factor authentication (2FA) or similar verification techniques. And then users need to adopt those features on all of their devices. We’re only truly secure---or as secure as we can be---when both happen.

For both to happen, of course, the platform makers need to make the authentication process as seamless as possible. But only Microsoft is hitting on all cylinders in offering secure authentication capabilities with its online accounts and making them as frictionless as possible.

Let’s use an example to prove the point.

It is an enduring frustration to me that when I try to sign-in to a smartphone, be it an iPhone or an Android handset, or my iPad, I will sometimes be asked to enter my PIN “for additional security.” A PIN is not additional security, it’s less secure than the biometric sign in that the device is for some reason bypassing arbitrarily, be it after a reboot or randomly at other times. And I will never understand that.

But Microsoft gets this right. When you configure a Windows 10/11 PC to sign in with whatever Windows Hello means---PIN, facial recognition, or fingerprint recognition, in my case---it will never again ask you to use a different method (unless something isn’t working right). This is exactly the way that authentication should work.

Another example.

When I use Google Chrome, it routinely---and I mean, like at least once every week or so---asks me to sign in to my Google account manually using a goddamn password like it's 1997 again. I have no idea why this is needed so often, or why this thing can’t understand that I’ve securely signed in to Windows and there’s no need for this check. But it is so aggressive about making me manually type in my complex password that this alone is almost grounds for not using it anymore. (And please don’t get me started on the other reasons, which are obvious).

By contrast, Microsoft Edge---and, in my experience, all other major web browsers, Chromium-based or not---do not force this unnecessary requirement on its users. You sign in once, you’re in. You’re accessing the application---which, admittedly, is important, given that it can store passwords, credit card numbers, and other personal data---via a device that is itself secure. You’re doing the right thing and it treats you like an adult.

Another example.

When I sign in to my Google account anywhere---in Chrome, on a Chromebook, on an Android handset, or in some mobile app---I have to enter my G...