A group of technology companies including Apple Inc.,
Alphabet Inc.’s
Google and
Microsoft Corp.
says it is a step closer to eliminating what many people call one of the worst aspects of the internet experience: passwords.
The Fast Identity Online Alliance has for nearly a decade worked on a system that lets users log into their online accounts simply by using the unlock mechanisms of their smartphones or computers. Rather than sending a password over a network susceptible to outside interference, users connect a public “key,” which sits on the account service provider’s server, to a private one, which cannot be removed from their device.
Previous versions of the group’s system still required people on new devices to enter passwords for each account before they could go password-free. Now, it says it has found a way to let users log into online accounts with their faces, fingerprints and PIN codes straightaway, even on brand-new devices.
The update “means that users don’t need passwords anymore,” said a white paper by the alliance, called FIDO for short. “As they move from device to device, their FIDO credentials are already there, ready to be used.”
The alliance, which represents more than 250 members, has been trying to reduce reliance on passwords since 2013, when six companies including
PayPal Holdings Inc.
and
Lenovo Group Ltd.
came together to develop a new, safer industry standard for online authentication.
Passwords create not just friction on the information superhighway, critics have long complained, but real frustration and even abandoned accounts when consumers forget their secret codes. They also still leave users, businesses and other organizations vulnerable to hackers and other bad actors.
Security solutions such as two-factor authentication, in which users typically supplement passwords with push notifications or codes sent by apps or texts, bring their own drawbacks. Plenty of people seem uninclined to opt in.
“Even though we know in 2022 that passwords are inherently insecure and creating lots of problems, getting people to actually secure them is still a challenge,” said Merritt Maxim, vice president and research director at research firm
Forrester Research Inc.,
where he specializes in security and risk.
Passwords are “the cockroaches of the internet,” Mr. Maxim said—irritating, hardy and worth taking the time to kill.
Some companies have developed passwordless options using FIDO standards.
Microsoft last September began letting consumers sign into their accounts with the company’s authenticator app and software, physical security keys that plug into computer ports, or SMS and email verification codes, rather than passwords.
And when a user logs into
eBay,
the company detects whether a user’s device supports FIDO. If so, a pop-up asks if he or she would like to enroll in passwordless authentication using his or her device’s password, PIN, facial recognition or fingerprint. Those who agree are then prompted to use that method on subsequent logins—no account passwords required.
EBay said that login completion rates have improved since it introduced FIDO technology in 2020, and that opt-in rates were higher than for text-based two-factor authentication.
But a completely passwordless world is still far off, said Forrester’s Mr. Maxim. FIDO’s vision mostly relies upon account holders having their own connected devices, which is not true for all users globally, he said. And while the system does not share users’ biometric data with account service providers, some privacy-minded users may hesitate to use their faces and fingerprints to unlock everything, he said.
The alliance tested which language, icons and information makes people feel most comfortable with switching on FIDO, said
Andrew Shikiar,
the group’s executive director and chief marketing officer.
“People need to adjust from doing what they know—just entering passwords—to doing something that they know how to do, but don’t really connect with logging in,” Mr. Shikiar said.
Some apps already let users substitute typing in their passwords with their device-unlock mechanisms, which helps establish “passwordless” user behavior. But those apps still transmit passwords behind the scenes, leaving accounts vulnerable to hacking, Mr. Shikiar said. FIDO, by contrast, does not send any human-readable information, including passwords, over networks when users switch it on, he said.
The alliance has also introduced workarounds for people who use shared devices. The updated technology lets users turn their phones into authenticators that can log into accounts on computers using Bluetooth, which would let users access accounts without passwords on a library computer, for example.
But if the user is unable to use his or her phone, or doesn’t have one, then the login experience would likely remain as it is today, Mr. Shikiar said.
“But let’s remember that getting rid of passwords is a journey and not a sprint,” he added.
Write to Katie Deighton at [email protected]
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8