Soon, you might not need to remember passwords to access apps and websites
Passwords? Who wants to use a password? You always forget your passwords, they force you to tax your memory and spell everything correctly. Yuck. Nobody wants a password. Ok, ok. Yes, this is based on the late Steve Jobs' comment about the stylus on that now-famous January day in 2007 when he introduced the iPhone.
But the truth is, while we all need to protect our identity and verify ourselves when we go online, trying to remember which password you used for which app can be a pain when you reach a certain age (which some of us, including yours truly, passed a while ago). Yes, there are apps developed to make things easier. But Google and Apple might be part of a group working on a new solution for this password thing and it could eventually be made available for the Android and iOS platforms.
FIDO Alliance working on a replacement for the use of passwords
According to 9to5Google, the FIDO Alliance (which has nothing to do with your pooch but actually stands for Fast IDentity Online) has been working on a replacement for the password. You might recall that two-factor authentication (2FA) has been recommended as a solution for those who have a tendency to use weak passwords such as, well, "password," continue reusing their passwords over and over, or make passwords too complex to remember such as using the ingredients to produce Coca-Cola or the roster of the 1965 New York Yankees.
Actually, in 2FA, a text is sent to your handset that contains a code that you type into the app or website and this verifies that you are who you say you are because no one but you would ever have your phone (note the sarcasm). Well, that is the theory that 2FA is based on. But FIDO has a goal to replace passwords using cryptographic keys. When the phone owner unlocks his device whether by using a fingerprint scanner, facial recognition, or a passcode, he will be asked to sign in using a "passkey."
As the FIDO Alliance says, "During registration with an online service, the user’s client device creates a new key pair. It retains the private key and registers the public key with the online service. Authentication is done by the client device proving possession of the private key to the service by signing a challenge." The "passkey" is stored on your device and the cloud sync service associated with the operating system that your phone uses.
According to strings of code discovered by 9to5Google in the latest version of Google Play services (version 22.15.14), Android users' "passkeys" will be saved to their Google account as suggested by these strings:
- Hello passkeys, goodbye passwords
- Passkeys provide better protection than passwords \u2013 and they\u2019re safely saved in your Google Account.
To be honest, this won't deliver us the password-free world that we all aspire to see. That's because the very first time you open an app or a website on your mobile browser, you will need to know the password for your Google Account or Apple ID (Oh yes, did we fail to tell you that Apple is also a member of the FIDO Alliance?)
But that info would only be needed the first time you open an app after installing it, or when setting up a new phone. As the FIDO Alliance wrote in a white paper last month, "Just like password managers do with passwords, the underlying OS platform will “sync” the cryptographic keys that belong to a FIDO credential from device to device."
FIDO added that "This means that the security and availability of a user’s synced credential depends on the security of the underlying OS platform's (Google's, Apple's, Microsoft's, etc.) authentication mechanism for their online accounts, and on the security method for reinstating access when all (old) devices were lost."
Based on the wording of the string, Google will be heavily promoting and making a big deal about "passkeys," hoping that many Android users decide to give it a go as a replacement for their passwords.
Members of the FIDO Alliance include:
- Amazon.
- American Express.
- Apple.
- Bank of America.
- CVS Health.
- Egis.
- Feitian.
- Google.
- Intel.
- Lenovo.
- Meta.
- Microsoft.
- Qualcomm.
- Samsung.
Things that are NOT allowed: