Apple thinks I need attention for 249 passwords. Some of them have been used again. Some of them have been victims of data breaches. Some are just bad passwords.
That’s why, for the past 11 years, a group called the FIDO Alliance has been working to kill passwords — or at least make us less dependent on them. FIDO, short for Fast Identity Online, aims to make signing into your accounts not only more secure but also, as the name implies, faster and easier. Because its members include Amazon, Apple, Google, Meta and other architects of our online experience, the FIDO Alliance is in a position to accomplish this as well.
Whether you realize it or not, FIDO’s efforts have already changed the way you sign in online You may have noticed a few years ago, for example, that many more sites began to be needed Something called multifactor authenticationWhich adds an extra step to the login process, like texting a code to your phone so the site can verify it’s you. It was FIDO’s job.
But over the years, logging in has become more difficult but more secure, alliances say Recently started a big push To get platforms and people alike to adopt a technology that just might kill passwords altogether: Passkey.
Passkeys are a new type of certificate that you can use to sign in to web accounts without using a password This new authentication standard is making passwords irrelevant by introducing a new, simpler, but more secure workflow. there is A logo and everything.
You can think of passkeys as two encrypted files, one on your end and one on the website’s end, that unlock access to your account when one matches the other, much like a key and a lock. Passkeys cannot be copied or spoofed, and they cannot be phished
Once you’ve set up a passkey for a website, you can sign in the same way you unlock your phone: with your face, your fingerprint, or a PIN. The process is so quick and familiar, you may already be using Passkey on sites like Google and Amazon. Soon, passkeys will be available for you to use May your password rest in peace.
The password problem, briefly explained
It wasn’t always like this. In the early days of computing, when computers took up entire rooms and required many people to operate them, passwords were not necessary. But once people started sharing those systems, passwords became the key to private computing.
In the early 1960s, researchers at MIT built a giant computer called the Compatible Time-Sharing System, a pioneering machine that led to the development of things like email and file sharing. This allowed multiple people to work together on their own projects, so project lead Fernando Corbato came up with a way to keep personal files on the system. He made it possible for researchers to set up accounts and access them with unique strings of characters — and thus passwords were born.
“Unfortunately it’s kind of turned into a nightmare,” Corbato told the Wall Street Journal In 2014.
It turns out passwords aren’t private at all. MIT researchers quickly figured out a way to steal their colleagues’ passwords And play tricks on them. Fast forward a few decades, and people are using hundreds of passwords to protect hundreds of their online accounts — or sometimes it’s the same password for everything. It’s an absolute nightmare. Passwords are easy to forget and difficult to reset. If a hacker steals a password you use because it’s a hassle to keep track of a bunch, they can log into all your accounts, steal your money, and generally wreak havoc.
Hackers can only steal passwords, sometimes millions of them, to steal people’s identities. Phishing attacks, when a bad actor tricks someone into giving up their login credentials, are a particularly insidious way to gain access to large amounts of sensitive data. These data breaches actually led to the creation of FIDO in 2013, when a consortium of tech companies, banks and governments came together to come up with a better way to secure accounts.
The effort began by adding a layer of security on top of the basic password. Multifactor authentication became mainstream about a decade ago. It improved security, but it was a real pain.
You’ve seen more complicated login routines since then. Password is required has become more complex (Think a dozen characters, upper- and lowercase, special characters, the works). Even once you enter a paralyzingly long and complex password, you can get a push notification on another device to verify it yourself on your laptop. You can get a magic link sent to your email. There may even be a QR code involved. All these methods are also vulnerable to phishing attempts.
“To solve the problem, you really have to get to the root of the problem,” FIDO CEO Andrew Shikier told me. “By solving the password problem, you’re really solving the data breach problem.”
Passkey solution
Passkeys promise to solve many of the problems that create passwords. Thanks to FIDO and the W3C, the consortium that manages standards for the World Wide Web, there is now an agreed upon workflow to completely replace passwords for passkeys.
From the user’s point of view, the passkey process is quite simple. You just log in the old fashioned way with a password or a code or whatever, and then the website or platform will ask you if you want to set up a passkey. If you do that, it will create those two files – the lock and the key, if you will – that create the passkey. It will also prompt you to unlock your phone with your face, fingerprint, PIN or swipe pattern depending on your preference. The passkey will then be associated with that device and stored in the cloud or in your password manager. The next time you log in, the site will check to see if you’ve got its unlock key. If so, unlock your device, and you’ll be right back This takes maybe two seconds
Creating a passkey doesn’t necessarily erase your password for good. Many sites keep passwords as a backup, in case you somehow lose track of your passkey. Also, we’ve been using passwords for so long, it would be weird if they suddenly disappeared.
“People don’t want to think we’re losing their passwords,” Shikier said. “It’s a scary thought.”
not for me I personally couldn’t wait to switch from passwords to passkeys, once I learned about the wider rollout. So last week, I set up as many passkeys as possible. But I didn’t set up 249 new passkeys to deal with all those problematic passwords. My passkey number is around 12.
The setup process is slightly different for each site, but once the passkey is in place, logging in is essentially a one-touch or glance process. Most of the time, I don’t even see a place to write my password. The site just scans my fingerprint or my face and I’m in
The main challenge, for now, is that not many companies are using Passkey, which explains FIDO’s recent push to get more companies to sign up. You can set up passkeys for your Google and Amazon accounts, for example, but not for Facebook and Instagram. WhatsApp, however, uses Passkey. It’s all a bit confusing for now. (Here is a complete list (of major websites that support Passkey.)
The other problem here is that, while people can remember passwords in their head, passkeys really require a passkey manager. Since most new devices come with built-in password managers, this isn’t really that big of a deal: password managers are also passkey managers.
Google and Apple started converting to Passkey a few years ago. If you are using a Android or iPhoneYou can use the built-in password manager on those devices to store all your passkeys Google Chrome There is also a passkey manager, as is Microsoft Windows. Password managers, eg 1 Password And BitwardenCan now handle passkeys as well. If you want to switch from an iPhone to an Android device or change password managers, you’ll have trouble transferring all those passkeys, but FIDO Working on a solution.
Passkeys were designed to kill passwords, but it will be a slow death. While passwords are sticking around for now, they will slowly become useless as more sites and platforms rely on passkeys instead. In a sense, passwords will become internet zombies, lurking and possibly causing problems at times.
“The password will never completely die,” says Jacob Hoffman-Andrews, a senior staff technologist at the Electronic Frontier Foundation. “The Internet will always have devices and corners where passwords are held.”
A version of this story also appeared in the Vox Technology Newsletter.Sign up hereSo you don’t miss the next one!
