While multi-factor authentication has never been so popular, efforts are multiplying to try to provide an alternative that is as credible as it is effective. Latest example to date: Apple, Google and Microsoft who have agreed on the need to accelerate the adoption of the FIDO authentication standard.
Forget the passwords? To make the web jungle more secure, Apple, Google and Microsoft have announced a joint initiative to expand support for the FIDO Alliance and W3C passwordless authentication standard. The objective is to allow users and Internet users around the world to connect safely, securely and easily to web services and platforms from a wide variety of terminals (computers, smartphones, connected objects, etc.). If in the past these three American computer giants had already advanced their pawns in support of this new authentication mechanism, they had not yet advanced jointly. This is now the case with common advances in terms of implementation.
Apple, Google and Microsoft have thus agreed to allow users to automatically access their FIDO login credentials on their various terminals without having to manually re-register their user account each time. But also to allow them to use FIDO authentication on their mobile device to connect to an application or a website on a nearby device, regardless of the platform, OS or browser used. “In addition to facilitating a better user experience, the broad support for this standards-based approach will allow service providers to offer FIDO credentials without the need for passwords as an alternative method of logging in or recovering account,” read a joint statement.
An authentication key encrypted on a public key backed by the smartphone
In a blog post, Google provided a little more concrete details to assess how this passwordless authentication will work: “your phone will store a FIDO identifier called password used to unlock your online account. The authentication key makes logging in much more secure, as it is based on public key cryptography and is only displayed in your online account when you unlock your phone,” the group says. “To connect to a website on your computer, you will just need your phone nearby and you will simply be prompted to unlock it to access it. Once you’ve done this, you won’t need your phone anymore and you can log in by simply unlocking your computer. Even if you lose your phone, your passwords will securely sync to your new phone from cloud backup, allowing you to pick up where your old device left off.”