23 August 2022

The Future Without Passwords With FIDO-Compliant Passkeys

It seems the introduction of Apple’s Passkeys is pushing password-free authentication even faster. FIDO-compliant and secure. Read why.

Apple is making the switch: passwords in your Safari browser at home will soon be a thing of the past. They are being replaced by ‘passkeys’. These consist primarily of pairs of private and public keys that are based on the industry-standard WebAuthn. Users no longer need a password for logins; only biometric features such as the face or fingerprint are used for authentication. The passkeys are stored on the device and in the iCloud keychain. What makes this step so important is that Apple is not alone in switching to passwordless logins but is completing the step as part of an alliance of tech corporations that includes other industry heavyweights such as Google and Microsoft. Read here how passkeys provide a secure authentication method that will improve browsing and shopping online.

For years, passwords have been considered the Achilles’ heel of IT security. If passwords are short and easy for users to remember, they are not secure. However, if they are at least twelve characters long and peppered with special characters and numbers, as recommended by the experts, they are almost impossible to remember. What’s more, passwords present a large target for cybercriminals who use phishing attacks to direct their victims to fake company websites or pass themselves off as executives calling on the phone – all to induce users to reveal their confidential login details. By the time the hoodwinked persons or IT managers at an affected company notice the attack, it is usually too late – criminals usually only need a few minutes to siphon off valuable internal company data from servers or to go on online shopping spree at their victim’s expense.

It’s not just Apple: passkeys are a joint effort

Passkeys are designed to eliminate this vulnerability, which affects online service providers and shops as much as it does end users, once and for all. This new level of passwordless authentication will put into practice what Apple has worked on since 2012 together with the other big tech companies Alphabet (Google), Amazon, Meta (formerly Facebook) and Microsoft as well as hardware manufacturers from Intel to Qualcomm in the FIDO Alliance. The goal of the organisation is to reduce reliance on passwords and to improve authentication standards on desktop and mobile devices.

Consequently, Apple’s passkey is not a proprietary development that is limited to its own product ecosystem but conforms to FIDO2. In other words, its implementation complies with the standardised log-in credential developed by the FIDO Alliance. Since other members of the FIDO Alliance such as Microsoft and Google also support the process, it is likely to be adopted rapidly in the coming years. As well as dispensing with passwords, the secure login offers additional benefits. On the one hand, it is independent of the terminal equipment, operating system platform and browser used. On the other hand, it enables the digital key to be shared safely across different devices. Users, therefore, have access to personal passkeys without having to log in again on each of their devices, which translates into a much-improved user experience. 

To ensure that the new system functions smoothly in the future, it is not just the tech giants that are pulling together. Online service providers and shops must also contribute to the success by making their apps and websites fit for the passwordless future. The members of the FIDO Allianz already offer relevant programming interfaces for this purpose.

The evolution of web shops and similar services

Website operators can integrate these types of APIs into their software architecture themselves – or they can turn to authentication solutions from third parties such as Nevis, which already offer this functionality to the fullest extent. Nowadays, these are usually provided as cloud solutions. This means that companies do not need to concern themselves with keeping login components up to date. Instead, this is handled by the central service provider.

It will probably be some time before passkeys are really ready to use everywhere – but the broad support among hardware and software vendors means that one thing is for sure: nothing can stand in the way of an innovation set to make surfing and shopping online much more secure.

Original article on Nevis Security’s website