Reprinted from TidBITS by permission; reuse governed by Creative Commons
license BY-NC-ND 3.0. TidBITS has offered years of thoughtful commentary
on Apple and Internet topics. For free email subscriptions and access to the
entire TidBITS archive, visit http://www.tidbits.com/


                   Another Step Toward a Password-Free Future

   Adam Engst

   Put bluntly, passwords suck. We just published a lengthy article about
   an email scam that exists only because too many people have weak
   passwords that they reuse across multiple sites (see '[1]How to Help a
   Friend Whose Email Has Been Hacked to Send Scams,' 5 May 2022). Why
   don't we instead get to use sophisticated biometric authentication like
   Touch ID and Face ID more broadly? That may happen in the coming year,
   thanks to [2]Apple, Google, and Microsoft committing to support the
   FIDO standard for passwordless logins.

   To an extent, all three companies already support FIDO Alliance
   standards to enable passwordless logins, but this announcement expands
   those capabilities by providing automatic access to FIDO passkeys on
   multiple devices without having to re-enroll every account and by
   allowing FIDO authentication on a mobile device to sign in to an app or
   website on another device nearby, regardless of the operating system or
   Web browser in use.

   Last year at Six Colors, Dan Moren wrote about [3]Apple's Passkeys
   system, introduced as a technology preview at WWDC 2021. It gives a
   glimpse of how Apple thinks this new passwordless authentication
   approach will work. In short, when you sign up for an Internet account,
   you would create only a username; Passkeys would create the passkey and
   store it in your keychain. All the Internet service would have is your
   username and your public key. When you want to sign in later, all
   Passkeys would have to do is prove that your device has the
   corresponding private key, which it would do by asking you to
   authenticate via Touch ID or Face ID. That would raise questions about
   how users would deal with the loss of a device and seemingly eliminate
   the possibility of signing in using someone else's device, but those
   are implementation details.

   With luck, we'll start to see Passkeys (or whatever Apple ends up
   calling it) implemented for real in the upcoming releases of macOS 13,
   iOS 16, iPadOS 16, and watchOS 9. As the press release says:

     These new capabilities are expected to become available across
     Apple, Google, and Microsoft platforms over the course of the coming
     year.

   It can't happen soon enough. Death to passwords!

References

   1. https://tidbits.com/2022/05/05/how-to-help-a-friend-whose-email-has-been-hacked-to-send-scams/
   2. https://www.apple.com/newsroom/2022/05/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard/
   3. https://sixcolors.com/post/2021/06/wwdc-2021-apple-takes-the-first-steps-to-a-password-less-future/

.