Apple, Google and Microsoft agree to support password-free sign-ins that instead use fingerprints, or face scans to ‘make web more secure for all’

• Passwordless identification works like accessing devices such as smartphones
• Users can make use of a PIN, fingerprint or face ID to get access to a website 
• It creates secure personal identification keys shared with the websites
• Microsoft, Apple and Google committed to introducing it by the end of the year
• Cyber security experts say it will take some time to switch completely 

Apple, Google and Microsoft have announced a joint effort to support a new type of online sign-in which could replace passwords with more secure alternatives. 

The technology giants agreed to support a common password-less sign-in which has been created by industry body the Fido Alliance and World Wide Web Consortium.

It involves a standard that is designed to simplify the process, allowing people to sign in to websites and apps the way they unlock a device – with a fingerprint, face scan or a device PIN that can verify their identity.

Experts say it will enable people to access and use their new password-less sign-in credentials – known as a passkey – across different devices.

This will prevent people from having to sign in to every account again on each device, reducing the risk of using easily guessable passwords.

Apple, Google and Microsoft have announced a joint effort to support a new type of online sign-in which could replace passwords with something more secure. Stock image 

The tech giants said the new system would also allow people to use a fingerprint or facial scan authentication on their smartphone as a way of signing in on another device nearby, regardless of which operating system or browser they were running.

This is a feature already in place for Apple devices, where someone wearing an Apple Watch can unlock a phone or MacBook. 

This would reduce the need for people to remember a wide range of username and password combinations to log in to different services, they said.

This has often led to passwords being reused across multiple accounts – something experts said was one of the biggest security risks in the digital world.

Apple, Google and Microsoft said they hoped to start making these capabilities available across their platforms over the coming year.

The technology giants agreed to support a common passwordless sign-in which has been created by industry body the Fido Alliance and World Wide Web Consortium. Stock image

‘Simpler, stronger authentication’ is not just Fido Alliance’s tagline – it also has been a guiding principle for our specifications and deployment guidelines,’ Fido Alliance executive director Andrew Shikiar said.

‘Ubiquity and usability are critical to seeing multi-factor authentication adopted at scale, and we applaud Apple, Google and Microsoft for helping make this objective a reality by committing to support this user friendly innovation,’ he added.

‘This new capability stands to usher in a new wave of low-friction Fido implementations alongside the ongoing and growing utilisation of security keys.’

‘123456’ and ‘password’ are among the most popular passwords used by CEOs 

It’s something that we’re all regularly warned about, but it seems that even top executives are still using passwords that are very easy to guess.

New research by NordPass has revealed the most popular passwords used by CEOs – with ‘123456’ and ‘password’ continuing to top the list.

Names and mythical creatures are also very commonly used, with ‘Michael’, ‘Jordans’ and ‘dragon’ also featuring in the top list.

The list of top passwords used by CEOs was compiled by NordPass in partnership with independent researchers specialising in research about cybersecurity incidents.

The team analysed over 290 million data breaches worldwide, before grouping passwords according to job title and industry.

Among the fields affected, technology, finance, construction, healthcare, and hospitality were shown to experience the most security incidents.

The list revealed that ‘123456’, was the most popular password among CEOs, having been used by 29,401 executives across the 290 million data breaches.

‘Password’ was next, with 22,511 uses, followed by ‘12345’ (11,876 uses), ‘123456789’ (10,988 uses) and ‘qwerty’ (9,738 uses). 

The move will give service providers a wider range of options to deploy ‘modern, phishing-resistant authentication.’

The announcement comes on World Password Day, and as cybersecurity experts called for the public and businesses to ‘drop passwords altogether’.

Grahame Williams, identity and access management director at defence firm Thales, said passwords were ‘becoming increasingly insecure’ and ‘easily hacked’.

He added that the industry needed to move on to newer technologies in order to boost security and protect user data.

Jake Moore, Global cybersecurity advisor at ESET, an antivirus protection and threat assessment firm, said we are still a long way of an ubiquity of passwordless times.

‘But at least Microsoft, Google and Apple are attempting to pave the way to make account access for secure as well as convenient,’ he told DailyMail.com, adding that it ‘isn’t something that can be achieved overnight but it highlights that more needs to be done when it comes to people’s password security.’

Moore said passwords play a big part in account security as they can be easily changed when compromised and don’t directly rely on unique device identifiers such as a smartphone or watch.

‘Cybercriminals will inevitably attempt to circumnavigate a system by looking at features to exploit this revived method as nothing remains hackproof but like with any early adoption of new technology, this is a great start and we are likely to see a decent version of this in the near future.’

Google said in a statement: ‘We’re excited for what the passkey future holds. That said, we understand it will still take time for this technology to be available on everyone’s devices and for website and app developers to take advantage of them.

‘Passwords will continue to be part of our lives as we make this transition, so we’ll remain dedicated to making conventional sign-ins safer and easier through our existing products and continued innovation.’

‘Just as we design our products to be intuitive and capable, we also design them to be private and secure,’ said Kurt Knight, Apple’s Senior Director of Platform Product Marketing. 

‘Working with the industry to establish new, more secure sign-in methods that offer better protection and eliminate the vulnerabilities of passwords is central to our commitment to building products that offer maximum security and a transparent user experience — all with the goal of keeping users’ personal information safe.’ 

FIDO: PASSWORDLESS AUTHENTICATION FOR WEBSITES 

Based on free and open standards from the FIDO Alliance, FIDO Authentication enables password-only logins to be replaced with secure and fast login experiences across websites and apps 

The FIDO protocols use standard public key cryptography techniques to provide stronger authentication. 

During registration with an online service, the user’s client device creates a new key pair. It retains the private key and registers the public key with the online service. 

Authentication is done by the client device proving possession of the private key to the service by signing a challenge. 

The client’s private keys can be used only after they are unlocked locally on the device by the user. 

The local unlock is accomplished by a user–friendly and secure action such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second–factor device or pressing a button.

The FIDO protocols are designed from the ground up to protect user privacy.

The protocols do not provide information that can be used by different online services to collaborate and track a user across the services. Biometric information, if used, never leaves the user’s device.

Source: Read Full Article