Thursday, November 21, 2024

New FIDO Alliance guidance: Passkeys will replace passwords eventually. Here’s how to set them up.

Apple thinks 249 of my passwords need attention. Some of them have been reused. Some of them have been caught up in data breaches. Some are just bad passwords.

That’s why, for the past 11 years, a group called the FIDO Alliance has been working to kill passwords — or at least make us less reliant on them. FIDO, short for Fast IDentity Online, wants to make signing into your accounts not only more secure but also, as the name implies, faster and easier. Since its members include Amazon, Apple, Google, Meta, and other architects of our online experience, the FIDO Alliance is in a position to accomplish this, too.

Whether you’ve realized it or not, FIDO’s efforts have already transformed the way you sign into everything online. You may have noticed a few years ago, for instance, that a lot more sites started requiring something called multifactor authentication, which adds an extra step to the login process, like texting a code to your phone so the site can verify you are you. That was FIDO’s doing.

But after years of making logging in more difficult but more secure, the alliance recently began a major push to get platforms and people alike to adopt a technology that may just kill passwords altogether: passkeys.

Passkeys are a new kind of credential that you can use to sign into web accounts without the use of a password. This new authentication standard is making passwords irrelevant by introducing a new, simpler, but more secure workflow. There’s a logo and everything.

You can think of passkeys as two encrypted files, one on your end and one on the website’s end, that open up access to your account when one matches the other, much like a key and lock. Passkeys can’t be copied or spoofed, and they can’t be phished.

Once you’ve set up a passkey for a website, you can sign in the same way you unlock your phone: with your face, your fingerprint, or a PIN. The process is so quick and familiar, you may already be using passkeys on sites like Google and Amazon. Pretty soon, passkeys could be all you use. May your passwords rest in peace.

The password problem, briefly explained

It wasn’t always like this. In the early days of computing, when computers took up entire rooms and required several people to operate them, there wasn’t a need for passwords. But once people started sharing those systems, passwords became key to computing in private.

In the early 1960s, researchers at MIT built a giant computer called the Compatible Time-Sharing System, a pioneering machine that led to the development of things like email and file sharing. It allowed multiple people to work on their own projects at once, so Fernando Corbató, the head of the project, came up with a way for people to keep private files on the system. He made it possible for researchers to set up accounts and access them with unique strings of characters — and thus the password was born.

“Unfortunately it’s become kind of a nightmare,” Corbató told the Wall Street Journal in 2014.

It turns out passwords aren’t very private at all. The MIT researchers quickly figured out ways to steal their colleagues’ passwords and play pranks on them. Fast forward a few decades, and people are using hundreds of passwords to protect their hundreds of online accounts — or sometimes it’s the same password for everything. It’s absolutely a nightmare. Passwords are easy to forget and can be difficult to reset. If a hacker steals that one password you use because it’s a hassle to keep track of a bunch, they can log into all your accounts, steal your money, and generally wreak havoc.

Hackers can also just steal passwords, sometimes millions of them at once, in order to steal people’s identities. Phishing attacks, when a bad actor tricks someone into giving up their login credentials, are a particularly insidious way to gain access to large amounts of sensitive data. These data breaches are actually what led to the creation of FIDO in 2013, when a consortium of tech companies, banks, and governments banded together to come up with a better way to secure accounts.

The effort started out with adding layers of security on top of the basic password. Multifactor authentication became mainstream about a decade ago. This improved security, but it was also a real pain.

You’ve since seen even more complicated login routines. Requirements for passwords have gotten more complex (think a dozen characters, upper- and lowercase, special characters, the works). Even once you’ve entered a paralyzingly long and complex password, you might get a push notification on another device to verify that you’re you on your laptop. You might get a magic link sent to your email. There could even be a QR code involved. All of these methods are vulnerable to phishing attempts, too.

“To solve the problem, you need to really get to the root of the problem,” FIDO chief executive Andrew Shikiar told me. “By addressing the password problem, you’re really addressing the data breach problem.”

Passkeys promise to fix many of the problems passwords created. Thanks to FIDO and W3C, the consortium that manages the standards for the World Wide Web, there is now an agreed-upon workflow for passkeys to replace passwords entirely.

From the user’s point of view, the passkey process is pretty easy. You just log on the old-fashioned way, with a password or a code or whatever, and then the website or platform will ask you if you want to set up a passkey. If you do, it will generate those two files — the lock and key, if you will — that make up the passkey. It will also prompt you to unlock your phone with your face, fingerprint, PIN, or swipe pattern, depending on your preferences. The passkey will then be associated with that device and stored in the cloud or in your password manager. The next time you go to log in, that site will go to see if you’ve got the key to fit its lock. If so, unlock your device, and you’re right back in. It takes maybe two seconds.

Creating a passkey will not necessarily do away with your password for good. Many sites are keeping the password around as a backup, if you somehow lose track of your passkey. Plus, we’ve been using passwords for so long, it would be weird if they suddenly disappeared.

“People don’t want to feel like they we’re losing their password,” Shikiar said. “That’s a scary thought.”

Not for me. I personally couldn’t wait to switch from passwords to passkeys, once I learned about the wider rollout. So over the past week, I’ve set up as many passkeys as I can. But I did not set up 249 new passkeys to deal with all those problematic passwords. My passkey count is closer to 12.

The setup process is slightly different for each site, but once the passkey is in place, logging in is essentially a one-touch or one-glance process. Most of the time, I don’t even see a place to enter my password. The site just scans my fingerprint or my face, and I’m in.

The main challenge, for now, is that not too many companies are using passkeys, which explains FIDO’s recent push to get more companies signed up. You can set up passkeys for your Google and Amazon accounts, for instance, but not for Facebook and Instagram. WhatsApp, however, does use passkeys. It’s all a bit confusing for now. (Here’s a full list of major websites that support passkeys.)

The other issue here is that, while people can remember passwords in their heads, passkeys really need passkey managers. Because most new devices come with password managers built-in, this is actually not that big of a deal: Password managers are also passkey managers.

Google and Apple started making the transition to passkeys a couple years ago. If you’re using an Android or iPhone, you can use the built-in password managers on those devices to save all of your passkeys. Google Chrome also has a passkey manager, as does Microsoft Windows. Password managers, like 1Password and Bitwarden, can also handle passkeys now. If you want to switch from an iPhone to an Android device or switch password managers, you’ll have trouble migrating all of those passkeys, but FIDO is working on a solution.

Passkeys were designed to kill passwords, but it will be a slow death. Even though passwords are sticking around for now, they’ll gradually be rendered useless as more sites and platforms rely on passkeys instead. In a sense, passwords will become internet zombies, lurking and probably occasionally causing trouble.

“The password will never fully die,” said Jacob Hoffman-Andrews, a senior staff technologist at the Electronic Frontier Foundation. “There will always be devices and corners of the internet where passwords hold on.”

A version of this story was also published in the Vox Technology newsletter. Sign up here so you don’t miss the next one!

Related Articles

Latest Articles