Passkeys, FIDO, and everything you need to know about Google and Apple’s proposed end to passwords

Apple, Google and other tech giants have plans to end passwords forever. That’s what you need to know

At the end of the year, Apple and Google will launch new versions of their main operating systems: iOS 16 and macOS Ventura by those of Cupertino, and Android 13 in the case of the Mountain View firm.

Each company has a completely different roadmap for deploying their operating systems, and the platforms differ in the number and type of functions they will integrate – although in some cases there are reasonable similarities. . This year, ironically, Google has focused on privacy and Apple on personalization. But there is a link between the plans of the two companies, which consists of the mutual intention to put an end to passwords once and for all, through what are called “passkeys”.

Passkeys is the technology with which Apple and Google, along with other companies participating in the FIDO alliance, intend to replace classic passwords as the login system in our Internet accounts. The process won’t be easy, but there’s no doubt that both companies have a more than solid foundation to achieve their goal of ending once and for all such an old-fashioned and insecure verification method as passwords. .

Since this identification system is getting closer and there is no turning back, we wanted to answer the most repeated questions and doubts about the access keys, in order to understand how the arrival of this technology may mean the end of passwords as we know them today. .

Google's proposal to remove passwords

Google proposes to use the biometrics of our mobiles to put an end to passwords.

What is an “access key”?

Google and Apple imagine a near future in which, when connecting to a web page or an application, it would suffice to unlock our mobile using a biometric method, such as a fingerprint reader or a facial recognition system, to Identify us and access our account. All without having to enter a password.

This is where access keys come in: the access data is stored in an encrypted key, which our mobile or PC will use when it tries to connect to an application or web page. To do this, the user must approve the use of the key by unlocking the mobile using a secure method, such as fingerprint detection, facial recognition or PIN code.

Therefore, whenever you want to log in to a password protected website or app, you need to use your own device as the verification method. This, on the other hand, means that two-factor authentication systems are no longer as necessary as they are today. Of course, this also adds a layer of difficulty when trying to log into one of our password-protected accounts from a family member’s or friend’s device if you don’t don’t have your own device handy.

However, there is a solution that can save us in this type of situation: when trying to log into a password-protected website or application on a third-party device, it will be possible to scan a QR code with the camera of our mobile. By connecting the two devices via Bluetooth to ensure that they are both close together and using a secure unlocking method on the mobile, the connection will be established which will allow the authentication process to be carried out.

Connection by Android key

An example of a login process using passkeys on an Android device.

Who is behind this system?

A collaboration between the FIDO Alliance and the World Wide Web Consortium has led to the creation of security keys. It was developed as an open, common standard that could mean the end of password-based access to web pages and apps, replacing them with a more secure and easy-to-use method.

In May this year, Apple, Google and Microsoft pledged to add support for this standard to their major platforms and accelerate its implementation on billions of devices worldwide.

Similarly, other companies specializing in password security such as AgileBits –the company behind 1Password–, LastPass or Dashlane are also part of the FIDO alliance, promoter of this system.

The Best and Safest Password Managers for Android

Is it really a more secure method than passwords?

It is very likely that in your daily life you use dozens of different passwords to access the different user accounts that you have in applications and web pages of all kinds. And, unless you are really security conscious, some of these passwords may be repeated or may not follow all the recommendations suggested by cybersecurity experts. Something more common than you think, and you just have to look at the list of the most used passwords in Spain to realize it.

The main purpose of access keys is to eliminate the need to remember passwords or struggle to generate sufficiently strong keys for each web page or application. Threats such as phishing, scams, or simply using an insecure password are just some of the problems that this verification method has been dragging around for years and security keys can eliminate from a simple pen stroke.

In addition to this, the access keys use a more than proven security method: public key authentication. This is a method similar to that used by credit or debit cards when verifying a payment, where the webpage or application only has a record of the client’s own public key. each user, and the private key is stored encrypted on the user’s device, ready to be used during the login process.

Since there is no password database on the webpage or application servers, but only the public key record is stored, the user does not have to worry about possible hacking or data theft.

common and weak passwords

“12345” was the most used password in Spain in 2021, proof that access keys are more necessary than ever.

Will it work on all your devices?

Vasu Jakkal, vice president of security at Microsoft, defined in the best possible way one of the main advantages of this verification system: “By using passkeys on their mobile devices, users can log in to a Google Chrome browser running on Microsoft Windows, using a password on an Apple device. »

And it is that, since it is an open standard adopted by the three main companies, the only difference will be in the way of implementing it in their respective platforms. However, the base of the system will be the same and there will be interoperability between Android, iOS, macOS, Windows, Chrome and the rest of the platforms and services.

When can you start using Passkeys and forget passwords

As I said at the beginning, Apple and Google – also Microsoft – intend to accelerate the implementation of security keys on their main platforms, in order to realize the long-awaited future without Passwords.

In the case of Google and its platforms, 2022 and 2023 are expected to be key years for the implementation of security keys on platforms such as Chrome and Android. In fact, Android 13 already introduces native support for security keys, and the same is happening with iOS 16 and macOS Ventura in Apple’s case.

The support will therefore be ready by the end of the year. But it is better not to uninstall your password manager yet: we will have to wait for web pages and applications to introduce the possibility of using security keys as a method of identifying users, and, if the reception is positive , they can even become the default. system when registering.

It therefore does not seem that passwords will disappear in the short or medium term. But if the acceptance by the main web pages and applications around the world progresses at a good pace, the transition could be made in a more agile way, and soon we could speak of a much safer Internet for users.

Related subjects: Technology

Leave a Comment