Google, Microsoft and Apple have announced support for expanding passwordless sign-in support across major operating systems and devices. The three companies announced plans on May 5, 2022 to support a passwordless sign-in standard, that has been created by the FIDO Alliance and the World Wide Web Consortium.
Current passwordless sign-in are specific to certain operating systems or services. Microsoft introduced support for passwordless accounts in 2021 and support for passwordless sign-ins nearly five years ago.
Customers may set up the feature online to use the company’s Authenticator application, Windows Hello or other authentication options, to sign-in to their accounts across Windows devices and Microsoft services. The company claims that more than 240 million customers are signing-in to their accounts without using a password each month.
More than 330,000 customers have removed the password from their Microsoft Account completely in the last six months according to the company.
Simpler, stronger authentication’ is not just FIDO Alliance’s tagline — it also has been a guiding principle for our specifications and deployment guidelines. Ubiquity and usability are critical to seeing multi-factor authentication adopted at scale, and we applaud Apple, Google, and Microsoft for helping make this objective a reality by committing to support this user-friendly innovation in their platforms and products,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance.
The improved standard bridges the gap between different operating systems, devices, apps and services, so that websites, services and apps may offer “consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms” according to the announcement.
Passwords are “one of the most common entry points for attackers” according to Vasu Jakkal, Microsoft Corporate Vice President, Security, Compliance, Identity, and Management. Attacks on passwords have nearly doubled over the past 12 months according to Microsoft.
Two-factor authentication mechanisms help protect accounts, as they block 99.9% of all attacks according to a Microsoft study. While attackers may steal user passwords, for instance, through phishing attacks, brute force attacks, or malware, two-factor authentication blocks access to the account until a secondary form of authentication is completed. Authentication apps may be used for that, but also other means.
Passwordless sign-in systems go a step further by removing passwords from accounts. Users use the same authentication options that they use for two-factor authentication, e.g., an authenticator app, security key, Windows Hello, or codes that are sent to mobile devices or to email accounts, but without having to supply a password.
The expanded standard gives websites and applications an option to offer end-to-end passwordless sign-in options to their users and customers. With the new system enabled on their mobile devices, users will use the same verification methods for signing-in to apps or services, that they use regularly on their devices. They may enter their PIN, or use biometrical authentication options, if supported by the device.
Apple, Google and Microsoft are expected to introduce support for the expanded standard in 2023.
The benefits of the new passwordless standard
The new passwordless standard has been created by the FIDO Alliance and W3C. It is backed by Microsoft, Google and Apple, who will add support into their platforms. The three companies have “led development of the extended set of capabilities” to extend what is supported already.
The main advantage of the extended standard is that it adds additional capabilities that improve the experience significantly:
- Users may use the authentication option provided by FIDO on their mobile devices to sign-in to any app, website or nearby device, regardless of the operating system or the browser that is being used.
- Access FIDO sign-in credentials on any device that a particular users owns “without having to re-enroll every account”.
The FIDO Alliance notes that the new standard is “radically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes sent over SMS”. When Internet companies started to introduce two-factor authentication options about a decade ago, many relied on insecure delivery channels, including email or SMS, for the secondary authentication code. While still more secure than sign-ins with passwords, these insecure channels could still be exploited by dedicated attackers.
The introduction of authentication apps, such as Microsoft Authenticator or Authy, eliminated that risk. Codes were created by the applications locally without any network activity.
The extended standard that will become available in 2023 offers the same advantages plus cross-device and platform support. The user’s biometric information, which is used for authentication across sites, apps and services, is available locally only. The passkey information can be synced across devices, again without any platform limitations, provided that the platform itself supports the extended standard.
It has been difficulty in the past to install and use some authenticator applications on multiple devices; the new standard will make this easier and improves the experience for users who lose access to their devices or switch to other devices.
Microsoft’s Windows Hello authentication system supports passkey sign-ins on all sites that support the functionality already. Soon, Apple and Google device owners may use passkeys to sign-in to Microsoft Accounts.
The removal of passwords eliminates attacks that aim to steal account passwords. Phishing attacks target user passwords and authentication information often, but without a password and password authentication, attackers run into brick walls when trying to steal data that does not exist.
Microsoft announced new passwordless sign-in capabilities this week:
- Passwordless support is now available for Windows 365, Azure Virtual Desktop and Virtual Desktop Infrastructure in Windows 11 Insider preview builds. Microsoft plans to roll out support to Windows 10 and 11 in the near future.
- Microsoft Authenticator supports multiple passwordless accounts for Auire AD. The new functionality will roll out to iOS devices in May 2022 and to Android devices later this year.
- Windows Hello for Business Cloud Trust improves the deployment experience for hybrid environments according to Microsoft.
- Temporary Access Pass in Azure AD has been in public preview for some time. The update allows users to use the feature to sign-in for the first time, configure Windows Hello, and join a device to Azure AD.
Cross-platform and device support for the passwordless sign-in standard will make it more appealing to users, as it removes the hassle of having to juggle between different passwordless authentication options if different platforms are used.
It remains to be seen how the three major players will implement support, and how well everything works once support has been introduced on all three platforms.
Now You: do you use two-factor authentication or passwordless sign-ins?