Apple, Google, and Microsoft are teaming up to make the web more secure and eliminate passwords
This could fundamentally change your relationship with online privacy.
From Apple’s press release:
In a joint effort to make the web more secure and usable for all, Apple, Google, and Microsoft today announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. The new capability will allow websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms.
We all hate having to generate and keep track of passwords. Apple’s iCloud Keychain helps because it syncs your passwords across all of your Apple devices and can even recommend secure passwords when you’re creating online accounts, but depending on how the website is coded your Apple device may not realize that you’re attempting to create an account. That means it never suggests a password, meaning you’re more likely to fall back on old tendencies like re-using old ones. We’ve all done it! Or sometimes people will leave a sticky note with their password under their keyboard, which is as secure as leaving a key to your home under the doormat. We all groan any time a service requires us to change our password, or when we have to navigate a password manager app. If Apple and its partners can help eliminate this reality, it’ll genuinely be a great service to mankind.
So how does FIDO work? Here’s what the alliance says on its website:
During registration with an online service, the user’s client device creates a new key pair. It retains the private key and registers the public key with the online service. Authentication is done by the client device proving possession of the private key to the service by signing a challenge. The client’s private keys can be used only after they are unlocked locally on the device by the user. The local unlock is accomplished by a user–friendly and secure action such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second–factor device or pressing a button.
The FIDO protocols are designed from the ground up to protect user privacy. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services. Biometric information, if used, never leaves the user’s device.
That last part is pretty key. You may not realize it, but when you setup Touch ID or Face ID on an Apple device, that biometric data stays on your device in a hardware component that Apple calls the Secure Enclave. It’s part of the A-series or M-series system-on-a-chip on your iPhone, iPad, or Mac. They’re never uploaded to Apple’s servers. That’s why you have to setup Face ID every time you get a new iPhone. If Apple stored that data, it could just be synced over.
As far as storing the keys, my guess is that Apple will store them on the device’s keychain, which can be synced across devices. But it will require the on-device Touch ID/Face ID to enable it to work with the website or service you’re signing into. It’s a little unclear what the participation with Google and Microsoft will entail, but my guess is that this is partially a way for all three companies to say they’re committed to adopting and evangelizing this technology. After all, they’ll have to convince everyone else to adopt passwordless sign-in. Here’s hoping this alliance is successful.
I am not convinced this is a good idea. If it's for logging into a *device*, fine. But otherwise I fear being hopelessly locked out of my own accounts.
I like passwords. Please don’t take them away.