A trio of tech giants want you to phone in your next password.
No, not by falling back to some easily-memorized password, but by using your smartphone to log you into another nearby device of yours, such as your laptop. Google has announced that it would support a passwordless sign-on system in the Android and Chrome operating systems. In addition, Apple and Microsoft said they will do the same in their operating systems and browsers. That will allow you to mix and match platforms—say, using an Android phone to whisk you into an account in Safari on a Mac, or an iPhone to log in on Edge on a Windows PC.
It will work a bit like a USB security key does now for a laptop or desktop, except that where those compact fobs from Yubico and others still expect you to type in your password first on that device, here unlocking your phone near the other computer will suffice.
These joint announcements on World Password Day (one of the worst celebrations of bureaucratic annoyance, after Tax Day), builds on earlier moves to eliminate the password as the primary defense for an account.
In this new passwordless world, you might still create an account with a traditional username and password, but associating that account with your (properly secured) smartphone will take the place of the traditional string of characters.
“In the past, our logins would be passwordless in certain situations, but you couldn’t really get rid of the password,” says Sam Srinivas, director of authentication security at Google.
There’s an obvious benefit to not having to remember a password (or the master password to the password manager that you should be using). The less obvious upgrade: This passwordless architecture, like USB security keys, is phishing resistant. Your phone will ignore requests from a fake site for the cryptographically secure passkey that authenticates you at the real site, just as a USB security key will disregard lookalike fake pages that could fool a human.
If an attacker somehow obtains the original password to an account or steals a computer on which that login is saved, tricking you into letting them in with a tap of a notification prompt on your phone won’t work.
“This is MFA done right,” says Srinivas, who doubles as president of FIDO Alliance, an industry group that develops post-password security standards. “It’s only going to work if you’re right next to the computer”—as verified with Bluetooth short-range wireless.
USB security keys were an earlier product of FIDO, short for “Fast IDentity Online.” While they also can’t be remotely exploited, they cost extra, usually starting at $20, and require their own separate enrollment before use. They’re also yet another small object to remember—and then maybe to lose.
“When we started on this journey with FIDO, physical proximity was the magic touch,” says Christiaan Brand, senior product manager at Google. “With this particular piece of technology, we’re bringing that back in.”
But giving your smartphone an even bigger security rule also increases the risk attached to its loss or theft. An attacker who could defeat its biometrics or guess your screen-unlock code or pattern might be in a position to start rolling up all your accounts, although that’s also a risk with mobile password-manager apps.
Losing a smartphone definitely risks inconvenience, although the passkeys saved on it are synced automatically and securely (and, Srinivas clarified, aren’t subject to backup-storage quotas). Until you get a new phone and restore that from backup, for example, signing into a new device won’t work unless you have a backup authentication method handy.
But that, too, is the case if you lose a phone you’ve used as a second authentication factor or on which you run a password manager.
Srinivas says he continues to recommend using separate USB security keys “for extremely sensitive situations” (think accounts that are core to a highly visible online identity or which offer control of large sums of money).
For that matter, Google itself is not ready to ditch passwords in its account-creation flow, and Srinivas says he expects that to continue “for a few more tomorrows.”
But even if today’s news falls short of its promise (and we’ve all bought into the false hype before), a login experience that is not so much passwordless but does qualify as password-light would still rank as an upgrade.
“The password is fundamentally phishable,” says Srinivas.