![](\"https:\/\/media.wired.com\/photos\/62326d8252a9731157d77d6c\/master\/pass\/death-of-passwords.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Lily Hay Newman| Date: Thu, 17 Mar 2022 12:00:00 +0000<\/strong><\/p>\n Lily Hay Newman<\/a><\/span><\/span><\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n After years of<\/span> tantalizing hints that a passwordless future is just around the corner, you're probably still not feeling any closer<\/a> to that digital unshackling. Ten years into working on the issue, though, the FIDO Alliance, an industry association that specifically works on secure authentication, thinks it has finally identified the missing piece of the puzzle.\u00a0<\/p>\n On Thursday, the organization published a white paper<\/a> that lays out FIDO's vision for solving the usability issues that have dogged passwordless features and, seemingly, kept them from achieving broad adoption. FIDO's members collaborated to produce the paper, and they span chipmakers like Intel and Qualcomm, prominent platform developers like Amazon and Meta, financial institutions like American Express and Bank of America, and the developers of all major operating systems\u2014Google, Microsoft, and Apple.\u00a0<\/p>\n The paper is conceptual, not technical, but after years of investment to integrate what are known as the FIDO2 and WebAuthn passwordless standards into Windows<\/a>, Android<\/a>, iOS, and more, everything is now riding on the success of this next step.<\/p>\n \u201cThe key to being successful for FIDO is being readily available\u2014we need to be as ubiquitous as passwords,\u201d says Andrew Shikiar, executive director of the FIDO Alliance. \u201cPasswords are part of the DNA of the web itself, and we\u2019re trying supplant that. Not using a password should be easier than using a password.\u201d<\/p>\n In practice, though, even the most seamless passwordless schemes are not quite there. Part of the challenge simply lies with the enormous inertia passwords have built up. Passwords are difficult to use and manage, which drives people to take shortcuts like reusing them across accounts and creates security issues at every turn.\u00a0Ultimately, though,\u00a0they\u2019re the devil you know. Educating consumers about passwordless alternatives and getting them comfortable with the change has proven difficult.<\/p>\n Beyond just acclimating people, though, FIDO is looking to get to the heart of what still makes passwordless schemes tough to navigate. And the group has concluded that it all comes down to the procedure for switching or adding devices. If the process for setting up a new phone, say, is too complicated, and there\u2019s no simple way to log into all of your apps and accounts\u2014or if you have to fall back to passwords to reestablish your ownership of those accounts\u2014then most users will conclude that it\u2019s too much of a hassle to change the status quo.<\/p>\n \u201cNot using a password should be easier than using a password.\u201d<\/p>\n Andrew Shikiar<\/p>\n The passwordless FIDO standard already relies on a device\u2019s biometric scanners (or a master PIN you select) to authenticate you locally without any of your data traveling over the internet to a web server for validation. The main concept that FIDO believes will ultimately solve the new device issue is for operating systems to implement a \u201cFIDO credential\u201d manager, which is somewhat similar to a built-in password manager. Instead of literally storing passwords, this mechanism will store cryptographic keys that can sync between devices and are guarded by your device\u2019s biometric or passcode lock.\u00a0<\/p>\n At Apple\u2019s Worldwide Developer Conference last summer, the company announced<\/a> its own version of what FIDO is describing, an iCloud feature known as \u201cPasskeys in iCloud Keychain,\u201d which Apple says is its \u201ccontribution to a post-password world.\u201d<\/p>\n \u201cPasskeys are WebAuthn credentials with the amazing security that the standard provides, combined with the usability of being backed up, synced, and working on all of your devices,\u201d Garrett Davidson, an engineer for Apple\u2019s app authentication experience team explained<\/a> at the conference in June. \u201cWe\u2019re storing them in iCloud Keychain. Just like everything else in your iCloud Keychain, they\u2019re end-to-end encrypted, so not even Apple can read them \u2026 And they\u2019re very easy to use. In most cases, it just takes a single tap or click to sign in.\u201d<\/p>\n If you lost your old iPhone, for example, and you\u2019re unboxing a new one, the transfer process can happen simply through whatever setup flow Apple offers at the time. If you lost your iPhone and decide to switch to Android, or are moving between any other two digital ecosystems, the process may not be quite as smooth. But FIDO\u2019s white paper also includes another component, a proposed addition to its specification that would allow one of your existing devices, like your laptop, to act as a hardware token itself, similar to stand-alone Bluetooth authentication dongles<\/a>, and provide physical authentication over Bluetooth. The idea is that this would still be virtually phish-proof since Bluetooth is a proximity-based protocol and can be a useful tool as needed in developing different versions of truly passwordless schemes that don\u2019t have to retain a backup password.<\/p>\n Christiaan Brand, a product manager at Google who focuses on identity and security and collaborates on FIDO projects, says that the passkey-style plan follows logically from the smartphone or multi-device image of a passwordless future.<\/p>\n \u201cThis grand vision of \u2018Let\u2019s move beyond the password,\u2019\u00a0we\u2019ve always had this end state in mind to be honest, it just took until everyone had mobile phones in their pockets,\u201d Brand says. Google joined FIDO just months after its formation in 2013. \u201cHopefully for the users it will be a small behavioral change, but the technology is a giant leap forward.\u201d<\/p>\n To FIDO, the biggest priority is a paradigm shift in account security that will make phishing a thing of the past. Attackers have become masters at tricking users into unintentionally handing over their passwords, and even two-factor authentication codes or approval prompts can be exploited. Such scams facilitate criminal profit, but they have also played a role in espionage and destructive cyberattacks that have shaped geopolitics and global events.<\/p>\n Even if FIDO has finally found the magic formula, passwords won\u2019t disappear overnight for a host of reasons. The most important is that not all people own a smartphone at all, much less multiple devices that can backstop each other if one is lost or stolen. And it will take years of turnover before everyone around the world has access to newer devices and operating system versions that support FIDO\u2019s passwordless push. In the meantime, tech companies will need to maintain both passwordless and password-based login schemes. In its new white paper and elsewhere, FIDO is working to support this transition, but as with any other tech migration (ahem, Windows XP<\/a>), the road will inevitably prove arduous.<\/p>\n Additionally, while FIDO\u2019s proposal is a major security improvement over passwords in many ways, it isn\u2019t infallible. Its success will depend on the security of each operating system\u2019s implementation. You\u2019re already likely all too familiar with the nightmare of being forced to trust the authentication scheme of each website and service you have an account with, but no alternative is perfect. FIDO\u2019s vision will simply create a different, if potentially better and more sensible, set of weaknesses and points of failure. As FIDO itself notes, its plan for mainstream adoption of passwordless authentication is meant as a general-purpose solution and may not always fit the most extreme security requirements.<\/p>\n And after all that, the tech industry will still need to turn FIDO\u2019s white paper into actual features that are easy to use and that convert people into passwordless believers.\u00a0<\/p>\n \u201cSchemes like Passkey could work and be more secure than passwords as they stand now,\u201d says Johns Hopkins cryptographer Matthew Green. \u201cBut if the user interface for inter-device transfers sucks on some devices, it will suck for all of them, which would continue to discourage\u00a0use.\u201d<\/p>\n After almost a decade of work, people looking for relief from passwords are left to hope that at this point FIDO is too big to fail. When asked if this is really it, if the death knell for passwords is truly, finally tolling, Google\u2019s Brand turns serious, but he doesn\u2019t hesitate to answer: \u201cI feel like everything is coalescing,\u201d he says. \u201cThis should be durable.\u201d<\/p>\n