Is the end of online passwords upon us?

Unlocking our smartphone ’s home screen is designed to be easy. Given the number of times we do it every day — somewhere above 60, on average — we can be thankful that the process is simple. We might use a fingerprint, or Face ID , or draw a pattern, or type in a PIN, and we’re in. But what if every website and app we use worked this way? What if we could bin our passwords; forget the tests we’re forced to take to prove that we're not robots; and say goodbye to texted confirmation codes and access our accounts securely, safely and easily? That’s the idea behind Fido2 , an emerging system which lets us use that same mobile unlocking procedure to identify ourselves to online services. Rather appropriately, Fido stands for Fast Identity Online, and its aim is clear: to relieve us from the burden of having to think up passwords, remember them and keep them safe from prying eyes, while also reducing the incidence of fraud, scams and cyber crime. At the beginning of this month, Fido received a huge boost when Microsoft, Google and Apple put out a joint press release giving it their wholehearted backing, promising “consistent, secure and easy passwordless sign-ins to consumers across devices and platforms". Over the course of the year, all three companies will be rolling out enhanced capabilities for Fido2. Some online services already employ it, but they require the user to type in their existing password to set it up, which somewhat defeats the object. Soon, however, we will be able to sign into participating services automatically by choosing a Fido2 login option on screen and authenticating on a mobile device with a PIN, fingerprint or face. If we want to sign in on a nearby desktop computer, we can still use that mobile device to authenticate. No passwords are needed at any point. “This announcement [from Microsoft, Google and Apple] is a very big thing,” says Per Thorsheim, founder of PasswordsCon, an international conference dedicated to digital authentication. “We have seen so many different attempts at getting rid of passwords, but with Fido2 the usability improves a lot, and it’ll be built into laptops, modern computers, tablets and phones. The general public will finally have access to it.” You rarely see Microsoft, Apple and Google speak as one, but their desire to kill off the password is evidently strong enough for them to work together to help to achieve it. The simplicity of using Fido2 belies the complex cryptography which enables it to work, but crucially, no personal information is transmitted; the website simply knows that it's you, and Thorsheim is emphatic that it’s safe. “People that I seriously trust in cryptography say that this is secure, and I'm not going to argue with them. It’s proven. I hate to say it, but any weakness in the system is down to people. Us.” It’s clear that moving to a passwordless world will create an even greater dependence on mobile devices, and the first question that tends to be asked of the proposal is: 'What if I lose my phone? Or it’s stolen?'. Both Google and Apple have indicated that the secret passkey which enables the Fido2 magic to happen could be retrieved from the Cloud and moved to a new device, but there is clearly no perfect system; humans are fallible and other humans are eager to exploit that fallibility. Evidently the onus will be on us, the end users, to recognise and understand the enhanced role that mobile devices will play in a passwordless world. And that may not be easy for certain parts of society, according to Thorsheim. “I know my mum is going to ask me ‘Where's the password? Where's the PIN? Where is the secret thing that only I’m supposed to know?’,” he says. “I have no doubt that some people will perceive it as less secure because there isn't a password, and I’ve no idea how much time will have to be spent to try to convince them of [its safety].” While advances in technology often happen at lightning speed, personal security is a very human issue which moves much more slowly. Andrew Shikiar, the executive director of the Fido Alliance, has said that he expects 90 per cent of the major online services to offer passwordless access by 2025. Thorsheim, however, is more cautious. “I think Fido2 looks and feels really good, but I still say that passwords are going to be here for the foreseeable future,” he says. “It's going to take one, if not two, generations before we eventually see something like Fido2 get widespread adoption.” So it seems that we may have to hang on to our much-used passwords for just a little longer. But while we do, let’s make sure they’re not “123456” (or, perish the thought, “password”).

Is the end of online passwords upon us?

Google, Microsoft and Apple are backing alternatives for a passwordless future