For more than a decade, we’ve received the promise that a password-free world is at hand, yet, year after year, this security nirvana has proven elusive. Now, for the first time, a workable form of passwordless authentication will be publicly available in a standardized form adopted by Apple, Google, and Microsoft that enables cross-platform and cross-service passkeys.
The password-driven killing schemes of the past have had a number of problems. One of the main drawbacks is the lack of a proper recovery mechanism when a person loses control of the phone number or physical and phone code associated with the account. Another limitation is that most solutions ultimately fail to be, in fact, completely passwordless. Instead, they give users the option of logging in with a facial or fingerprint scan, but the system eventually reverts to passwords, which means phishing, password reuse, and forgotten passcodes—all reasons we hate passwords to begin with—why not Go.
What’s different this time around is that Apple, Google, and Microsoft all seem to be collaborating on a well-defined solution. Not only that, but the solution is easier than ever for users, and cheaper for big services like Github and Facebook. It has also been carefully designed and reviewed by experts in authentication and security.
Existing Multi-Factor Authentication (MFA) methods have made significant strides over the last five years. Google, for example, lets me download an iOS or Android app that I use as a second factor when I log into my Google account from a new device. Based on CTAP – short for Client for authenticator protocol—This system uses Bluetooth technology to ensure that the phone is close to the new device and that the new device is, in fact, connected to Google and not a site masquerading as Google. This means that it is incorruptible. The standard ensures that the encryption secret stored on the phone cannot be extracted.
Google also provides files Advanced Protection Program Requires a physical key in the form of a standalone dongle or end user’s phone to authenticate the login from the new device.
The big limitation now is that passwordless authentication and MFA authentication are launched differently – if any – by each service provider. Some providers, such as most banks and financial services, still send one-time passwords via SMS or email. Realizing that this is not a secure way to transmit security sensitive secrets, many services have moved to a method known as TOTP, which is an acronym for One-time password based on time– to allow a second factor to be added, effectively increasing the password by the “something I own” factor.
Physical security keys and TOTP, and to a lesser extent two-factor authentication via SMS and email are important steps forward, but three major limitations remain. First, the TOTP is generated via an authentication app and sent via text or email can be cheated, in the same way as a regular password. Second, each service has its own closed MFA platform. This means that even when using an indivisible form of MFA – such as a stand-alone physical key or a phone-based key – users need separate keys for Google, Microsoft, and all other Internet properties. Worse, each OS platform has a different mechanism for implementing MFA.
These problems paved the way for a third problem: lack of use for most end users and the counterintuitive cost and complexity that every service faces when trying to offer MFA.