The Fido Alliance, an organization committed to eliminating the need for passwords, received a big boost last week when Apple signed up as a board member. Fido stands for Fast IDentity Online.
Apple apparently wasn’t ready to announce its support immediately, as tweets from a Fido Alliance conference were quickly deleted, but as of today, the news is official…
French site MacG spotted a now-deleted tweet that had a photo (below) of a conference slide showing the Apple logo and the text ‘New Board Member.’
The problem with passwords
I’ve been arguing for years that passwords are horrible.
Biometric authentication like Face ID and Touch ID helps, as do password managers, but there are still an annoying number of times when you have to enter them manually.
And passwords are especially horrible on iOS devices – where we have to switch an on-screen keyboard between letters, numbers and symbols multiple times to type a single password.
Passwords are even worse for non-techies, who frequently resort to using the same password for almost every website, app and service out there – which means as soon as any of them gets hacked, all of their other logins are compromised. (Hackers generally seek credentials from poorly-secured websites, then try them on valuable ones.)
How Fido Alliance wants to replace passwords
The Fido Alliance proposal is that trusted devices should replace passwords. This would work much the same way as Apple’s two-factor authentication (2FA) using Apple devices. When you try to sign in to a new Apple device with your Apple ID, the company sends a code to a trusted device and you enter that code.
With the Apple system, this is an additional step, but what the Fido Alliance wants is for a similar approach to this to replace passwords – and you wouldn’t need to enter a code.
For example, if you try to login to a website on your iPhone, you would enter only your username and it would then send an authentication request to one of your other registered devices, such as an Apple Watch. You could simply tap to authorize. Similarly, when accessing a service on your Mac, you would be able to approve it on your iPhone – and so on.
Although this might sound like weaker security, it’s actually secure. Only one of your own trusted devices can make a request for authentication as you, and only a different one of your own trusted devices can approve that request. An attacker wanting to impersonate you would need physical possession of two of your trusted devices, and to be logged in to both. For example, they would need to have your iPhone and its passcode, and your Mac and its password.
While Apple’s system is limited to its own devices, the alliance wants all manufacturers to sign up to this approach, so you’d also be able to authorize a login on an Android smartphone, Android tablet, Chromebook, Windows PC or any other trusted device.
Another Fido Alliance board member, Nok Nok Labs, already offers an SDK for the Apple Watch.
There’s a lot more work to be done before we will finally move beyond passwords. It will essentially require every website – or at least, every web and app authentication system – to sign up. But Apple lending its weight should do a lot to accelerate interest.