never was a question that would take years to turn the world away from passwords. Digital authentication technology, while deeply flawed, is ubiquitous and inveterate. However, for the past five years, the secure authentication industry association known as the FIDO Alliance has been making progress promote “pass keys”, a passwordless alternative to sign in to apps and websites. And yet, you probably still use a lot of passwords every day. In fact, you may not have any account protected by a passkey, despite wide adoption by Microsoft, Google, Apple, and many more.
At the RSA Security Conference in San Francisco next week, Christiaan Brand, Co-Chair of the FIDO2 Technical Working Group and Product Manager for Identity and Security at Google, will present a talk on new features and the growth in key adoption. by the way. He also plans to examine the current challenges facing passkeys in countering the inertia that passwords have accumulated over decades, and the long game of slowly phasing out password dominance.
“What I want to highlight is how far we’ve come, but what problems remain unresolved,” says Brand. “Passwords are everywhere and they are bad, but everyone is used to them. Users don’t want to be surprised and don’t like the change. Therefore, it is very important to think of access keys as augmentation. We need to push users towards what will be easier and more secure.”
Over the past year, Brand says, FIDO has made significant progress implementing features to support its passwordless vision. The infrastructure is now ready to support access keys so they can be synced across devices, get services that prompt users for access keys instead of always using the default username and password, and use the Bluetooth-based proximity detection to share passkey authentication between devices. These three points address the main usability issues that FIDO publishes publicly. willing to improve A year ago.
However, in practice, there are still obstacles, and the development of these solutions has taken time. For example, Brand says the new Bluetooth-based proximity sensing protocol was carefully designed to avoid security issues that often plague Bluetooth implementations. The idea was to remove most of the functionality of Bluetooth and exclusively use the protocol for proximity checks instead of data transfers. This approach has allowed passkeys to bypass many of Bluetooth’s quirks and reliability issues when attempting to pair devices.
However, developing a consistent “user experience” (UX) for passkeys across different operating systems and web services is an ongoing challenge. If, for example, you sign in to your Google account from a Mac using traditional passwords, your credentials are still verified against what Google has on record for your account on one of the company’s servers. But the security and phishing resistance benefits of passkeys come from the fact that they work differently. If you use a passkey to sign in to your Google account from a Mac, the cryptographic verification is done locally and Apple is never directly involved; everything the user experiences during the interaction is provided by macOS, not Google.