The world without passwords: the new forms of authentication to avoid so many numbers and letters

Little by little, technology giants are betting on a world without passwords where other authentication strategies considered more secure are implemented. Such is the case of Microsoft, which in September last year announced the possibility that all account users with the company could delete their keys, if they so desired.

This is possible thanks to the use of Microsoft Authenticator, Windows Hello, a security key or the verification code sent to your cell phone or email to sign in to your favorite apps and services.

Now Google is also preparing to go in that direction, since it proposes a system based on access keys. This is a new proposal that links a private key to the user's personal account and allows it to be synchronized between devices for use on websites.

The FIDO (Fast Identity Online) Alliance, to which some of the most important technology companies are subscribed and which aims to create new secure standards for digital service management, has proposed a new approach to security that leaves both password and two-factor authentication behind.

These are multi-device credentials, capable of getting around phishing that has grown so much in recent times.

In this case, it is a proposal that stores cryptographic information on the device (mobile, computer or tablet), a private key that generates a signature that, later, verifies a server that has actually been created with that private key when trying to access a website.

In the case of Android, access keys are saved in the Google account, allowing this information to be synchronized between devices, useful if, for example, you switch to a new mobile phone.

The user will still have to log in to his account with the password, but he will avoid it in web services.

In practice, this process works in a similar way to a password manager, and is known commercially as an access key, as mentioned by the alliance in its March 2022 report on how FIDO addresses a full range of use cases.

“Like password managers with passwords, the underlying operating system platform will synchronize cryptographic keys that belong to a FIDO credential from one device to another. This means that the security and availability of a user's synchronized credential depends on the security of the underlying OS platform authentication mechanism (Google, Apple, Microsoft, etc.) for their online accounts, and on the security method of restoring access when everything (old) is lost the devices”, one of the FIDO documents reads.

Last year, Apple announced a new authentication feature, called Passkeys, that would allow users to use FaceID or TouchID to sign in to websites compatible with this system. In this way, they would not need to use a password as they would use a biometric system.

The announcement was made in June last year, at the developer session entitled Move beyond passwords, offered by Apple as part of its annual event (WWDC 21) for developers.

As the company explained, it is also based on the protocol promoted by the FIDO Alliance, which Apple joined in February 2020 to improve online authentication.

Passkeys avoids having to remember a password when logging into a website, as long as the page in question supports this technology.

Next to the username, FaceID facial recognition or fingerprint is linked with TouchID instead of a password.

Its support has already been included in iOS, in the second beta of version 15.5. For its part, Google is working to include this new initiative, as they have identified in 9to5Google, by verifying some lines of code for the latest version of Google Play Services (version 22.15.14).

KEEP READING: