Google, Microsoft and Apple have announcement support for expanding support for passwordless login across major operating systems and devices. The three companies announced on May 5, 2022 their intention to support a passwordless login standard, which was created by the FIDO Alliance and the World Wide Web Consortium.
The current passwordless login is specific to certain operating systems or services. Microsoft introduced support for passwordless accounts in 2021 and support for passwordless logins nearly five years ago.
Customers can configure the online feature to use the company’s Authenticator app, Windows Hello, or other authentication options to sign in to their accounts on Windows devices and Microsoft services. The company says more than 240 million customers log into their accounts without using a password every month.
According to the company, more than 330,000 customers have completely removed their Microsoft account password in the past six months.
“Easier, Stronger Authentication” is not just the FIDO Alliance slogan – it has also been a guiding principle for our specifications and deployment guidelines. Pervasiveness and ease of use are key to seeing multi-factor authentication widely adopted, and we applaud Apple, Google, and Microsoft for helping to make that goal a reality by committing to supporting this user-friendly innovation in their platforms. -forms and products,” said Andrew Shikiar. , Executive Director and CMO of the FIDO Alliance.
The enhanced standard bridges the gap between different operating systems, devices, apps, and services, so websites, services, and apps can deliver “consistent, secure, and easy passwordless logins to consumers across all devices.” and platforms,” according to the announcement.
Passwords are “one of the most common entry points for attackers” according to to Vasu Jakkal, Microsoft Vice President, Security, Compliance, Identity, and Management. Password attacks have almost doubled in the past 12 months according to Microsoft.
Two-factor authentication mechanisms help protect accounts, as they block 99.9% of all attacks according to a Microsoft study. While attackers can steal user passwords, for example, through phishing attacks, brute force attacks or malware, two-factor authentication blocks account access until until a secondary form of authentication is completed. Authenticator apps can be used for this, but also in other ways.
Passwordless login systems go one step further by removing passwords from accounts. Users use the same authentication options they use for two-factor authentication, such as an authenticator app, security key, Windows Hello, or codes sent to mobile devices or computers. email accounts, but without having to provide a password.
The extended standard gives websites and applications the ability to offer end-to-end passwordless login options to their users and customers. With the new system enabled on their mobile devices, users will use the same verification methods to log in to apps or services they regularly use on their devices. They can enter their PIN or use biometric authentication options, if supported by the device.
Apple, Google and Microsoft are expected to introduce support for the extended standard in 2023.
Benefits of the new passwordless standard
The new passwordless standard was created by the FIDO Alliance and the W3C. It’s backed by Microsoft, Google, and Apple, which will add support to their platforms. The three companies have “led the development of the expanded set of capabilities” to extend what is already supported.
The main advantage of the extended standard is that it adds additional features that significantly improve the experience:
- Users can use the authentication option provided by FIDO on their mobile devices to log in to any app, website or nearby device, regardless of the operating system or browser used.
- Access FIDO login credentials on any device belonging to a particular user “without having to re-register each account”.
The FIDO Alliance notes that the new standard is “drastically more secure compared to passwords and legacy multi-factor technologies such as one-time passcodes sent via text message.” When internet companies began introducing two-factor authentication options a decade ago, many relied on insecure distribution channels, including email or text, for password authentication. secondary authentication. Although even more secure than logins with passwords, these insecure channels could still be exploited by dedicated attackers.
The introduction of authenticator apps, such as Microsoft Authenticator or Authy, has eliminated this risk. The codes were created by the apps locally without any network activity.
The expanded standard that will be available in 2023 offers the same benefits along with cross-device and platform support. The user’s biometric information, which is used for authentication on sites, applications and services, is available locally only. Passkey information can be synced across devices, again without any platform limitations, as long as the platform itself supports the extended standard.
In the past, it was difficult to install and use some authenticator apps on multiple devices; the new standard will facilitate this and improve the experience for users who lose access to their devices or move to other devices.
Microsoft’s Windows Hello authentication system supports passkey logins on all sites that already support the feature. Soon, owners of Apple and Google devices will be able to use passkeys to sign in to Microsoft accounts.
Clearing passwords eliminates attacks aimed at stealing account passwords. Phishing attacks often target user passwords and credentials, but without passwords and password authentication, attackers run into brick walls when trying to steal data that doesn’t. don’t exist.
Microsoft announced new passwordless sign-in features this week:
- Passwordless support is now available for Windows 365, Azure Virtual Desktop, and Virtual Desktop Infrastructure in Windows 11 Insider Preview builds. Microsoft plans to roll out support for Windows 10 and 11 in the near future.
- Microsoft Authenticator supports multiple accounts without password for Auire AD. The new feature will roll out to iOS devices in May 2022 and Android devices later this year.
- According to Microsoft, Windows Hello for Business Cloud Trust improves the deployment experience for hybrid environments.
- The temporary access pass in Azure AD has been in public preview for some time. The update allows users to use the feature to sign in for the first time, set up Windows Hello, and join a device to Azure AD.
Cross-platform and device support for the passwordless login standard will make it more attractive to users, as it eliminates the need to juggle between different passwordless authentication options if different platforms are used.
It remains to be seen how the three major players will implement the support and how well everything will work once the support is introduced on all three platforms.
Now you: Are you using two-factor authentication or passwordless logins?