A new form of security authorization will open the doors for people to move past the password.
When Apple releases iOS 16 to the public in September, it will debut the highly anticipated Passkey, a new form of security authorization that will allow users to sign into an assortment of accounts without having to input their passwords over and over. If this new form of digital security catches enough attention, it could help users stop relying on questionable passwords and significantly improve the average user’s digital privacy practices.
Passwords are “simply not fit for today’s internet,” FIDO Alliance Executive Director Andrew Shikiar told the Washington Examiner.
The Passkey was announced in May as part of a joint press release by Google, Apple, and Microsoft promoting a “passwordless future” based on new support for Fast IDentity Online, or FIDO, credentials. FIDO is an open industry association that has been trying to “help reduce the world’s over-reliance on passwords” since 2013.
FIDO credentials build on a digital standard that uses public-key cryptography to communicate a security authorization to the account and is considered a more complicated version of two-factor authentication. These authorizations, or “keys,” are kept in a cloud and are connected to individual devices. If a user wanted to log into an e-commerce website, such as Amazon or eBay, they would be required to connect their account to their Passkey on their mobile device. They would then be able to unlock it via a mobile pin or biometric data, such as a fingerprint or facial scan, thus keeping users’ accounts locked to more reliable sources of identity confirmation than long, complex passwords.
While FIDO credentials are not new, they have historically been relegated to government entities and technology companies due to the costs and complexities of the credentials. They were also limited in that each device needed its own FIDO credential to be usable, which made connecting it with an assortment of different personal devices require extra effort. The updated support will now allow users to have a single set of FIDO credentials that are connected to multiple devices. This support can also be used to sign into an app or website on a different device, regardless of the platform. The fact that Google, Apple, and Microsoft announced support similarly means that the vast majority of new devices will be able to incorporate the new security functions with a simple update to their operating system. This will make the adoption of FIDO credentials in relation to everyday devices significantly easier.
“At the end of the day, consumers are faced with two key questions when evaluating new technologies that affect their overall identity management: ‘Is it secure?’ and ‘Is it convenient?'” Jason Bohrer, executive director of the Secure Technology Alliance, told the Washington Examiner. Bohrer argued that the simplicity of a mobile-device-based identity authorization process mixed with the ease of something like a pin or facial scan would make the adoption of the new security protocol easier.
What remains uncertain is how long it may take for the technology to be adopted. “Getting to a passwordless future is a journey, not a sprint,” Shikiar added. While Apple will be the first to implement the multidevice FIDO passkey via iOS 16, it will take time for users to adopt the new security devices as part of their everyday lives.
Cybersecurity experts are eager to explore the implications of the new practice in the near term. “While passwords won’t go away when Apple launches this, Passkey certainly has the potential over time to reduce the phishing and account takeover attack surface while setting a new standard for how identity management should take place in the future,” cybersecurity software firm Magnet Forensics Digitial Investigation Suite Director Stephen Boyce told the Washington Examiner.
Passwords have historically been a common tool used by hackers to access critical areas. Roughly 70% of cybercrimes in one 12-month period consisted of “social engineering attacks,” according to Microsoft’s “Digital Defense Report” from September 2020. These attacks included sending phishing emails to acquire critical login information, such as passwords.
https://www.washingtonexaminer.com/policy/technology/farewell-passwords-how-passkeys-will-change-digital-privacy?_amp=true