Big U.S. technology companies Google, Apple and Microsoft are campaigning to make this the year that a new passwordless standard becomes more widely accepted, including for payments.
The companies argue the new standard not only avoids the consumer headaches of being forced to remember countless passwords, it also provides a more secure approach to e-commerce and a better guard against fraud and phishing attacks.
“This is the year,” Christiaan Brand, Google’s product manager for identity and security, declared at the American Banker media outlet’s Payments Forum in Phoenix last week. “If there isn’t a password, there is nothing to keep updated.”
Google has been working with the FIDO Alliance, short for the Fast Identity Online Alliance, since 2013 to create a new passwordless era, as have other technology companies. The alliance was founded in 2012 when digital payments pioneer PayPal and other companies began brainstorming a passwordless authentication protocol that would be driven by biometrics and public-key cryptography.
Google, Apple and Microsoft publicly bolstered their support for the new standard earlier this year in a May 5 public statement of support for the FIDO Alliance and World Wide Web Consortium.
“The new capability will allow websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms,” the tech companies said in the statement.
Under the new standard, users would verify their identity with their fingerprint or face, or by using a device PIN.
The tech companies said they expect the new capabilities to become available on Apple, Google and Microsoft products and services over the coming year.
The federal government also favors moving consumers past the use of passwords, Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency, said in the statement. “Today is an important milestone in the security journey to encourage built-in security best practices and help us move beyond passwords,” she said in reference to the enhanced support from the three big tech companies.
A powerful aspect of the new standard, and the technology developed around it, is that users will be able to transfer their login credentials, called a passkey, to a new device where they haven’t used the passwordless sign-on previously, Brand said at the conference.
“This is a technology that transcends just an application on a single phone,” with the same credential used across web and app use on various devices, Brand said in speaking on a May 17 panel at the conference.
KeyBank is piloting the use of the new passwordless standard and reviewing its feasibility, Jen Martin, head of enterprise fraud services at the bank, said in speaking on that Payments Forum panel.
Still, some cybersecurity consultants have their doubts about the use of passwords expiring anytime soon. Merritt Maxim, who specializes in security and risk as a research director at Forrester Research, told the Wall Street Journal that he doesn’t believe passwords will disappear anytime soon.
Passwords are “the cockroaches of the internet,” Maxim said, suggesting they’re irritating and hard to kill, but worth getting rid of.
But Tom Thimot, CEO of Denver-based identity verification company authID.ai, has more faith the tech companies’ new push will make a difference, “after everyone has been talking about passwordless forever.” He called the renewed support a “monumental” development.
The world will quickly move away from username and password, he predicted. When Google, Microsoft and Apple together send notices to customers that they’re doing away with passwords, “there’s going to be a giant hallelujah,” he said.
Then, it will be a matter of educating consumers, their getting used to no more text message authentication and asking people to occasionally turn their phones to their faces, Thimot said.