Little by little, the technological giants are betting on a world without passwords where other authentication strategies deemed more secure are put in place. This is the case of Microsoft which, in September of last year, announced the possibility of all users of accounts with the company could delete their keysif they wish.
This is possible through the use of Microsoft Authenticator, Windows Hello, a security key or verification code sent to your phone or email to sign in to your favorite apps and services.
Now, Google is also preparing to go in this direction, since it offers a system based on access codes. This is a new proposal that links a private key to the user’s personal account and allows it to be synchronized between devices for use on the web.
The FIDO (Fast Identity Online) Alliance, of which some of the most important technology companies are members and whose objective is to create new secure standards for the management of digital services, proposed a new security approach that leaves out both password and two-factor authentication.
Microsoft is part of the FIDO alliance
These are cross-device credentials, capable of circumventing phishing which has grown so much in recent times.
In this case, it is a proposal that saves cryptographic information, a private key, on the device (mobile, computer or tablet). which generates a signature which later verifies a server that was successfully created with said private key when attempting to access a website.
In the case of Android, the access keys are saved in the Google account, which allows this information to be synchronized between devices, useful if, for example, you change your mobile phone.
The user will still need to log into their account with the password, but they will bypass it in web services.
Like password managers with passwords, the underlying operating system platform will “sync” the cryptographic keys belonging to a FIDO ID from device to device (9to5 google)
In practice, this process functions as a password manager and is commercially known as the access keyas the alliance mentions in its March 2022 report on how FIDO addresses a full range of use cases.
“Like password managers with passwords, the underlying operating system platform will synchronize the cryptographic keys belonging to a FIDO ID from device to device. This means that the security and availability of a user’s synchronized credentials depends on the security of the underlying operating system’s platform authentication mechanism. (Google, Apple, Microsoft, etc.) for their online accounts, and the security method to restore access when all (old) devices are lost,” reads one of the FIDO documents.
Last year Apple announced a new authentication feature, called Passkeys, which would allow users to use FaceID or TouchID to log into websites compatible with this system. This way, they would not need to resort to a password since they will be using a biometric system.
Passkeys avoids having to remember a password when logging into a website, as long as the page in question offers support for this technology (Apple)
The announcement was made in June last year, during the developer session titled Go beyond passwords (Go Beyond Passwords), offered by Apple as part of its annual event (WWDC 21) for developers.
As the company explains, it is also based on the protocol promoted by the FIDO Alliance, which Apple joined in February 2020 to improve online authentication.
Passkeys avoids having to remember a password when logging into a website, as long as the page in question offers support for this technology.
Next to the username, FaceID facial recognition or TouchID fingerprint is linked instead of a password.
Its support has already been included in iOS, in the second beta of version 15.5. For its part, Google is working to include this new initiative, as they have identified in 9to5Googleby checking a few lines of code from the latest version of Google Play Services (version 22.15.14).