Main menu

Pages

A world without passwords can lock users into Apple or Android

The prospect of a world without passwords couldn’t come soon enough for me, but an issue was raised with the FIDO standard designed to remove the need for them. Namely, giving up passwords may make it more difficult to switch between ecosystems.

If you have passkeys setup for Apple devices, there is nothing in the standard that allows you to transfer them to your Android device, or vice versa…

A world without passwords

A world without passwords is the mission of the FIDO Alliance (Fast IDentity Online).

Currently, to log into a website or app, we usually enter a username and password. We’ve argued for years that passwords are a pretty horrible way to security – and it even increases with every additional service we use. Security questions as a raw form of two-factor authentication are an even bigger mess.

What FIDO does is instead allow our device to authenticate us. The logic is this (using iPhone with Face ID as an example):

  • A website or app asks you to identify yourself and prove your identity.
  • The iPhone receives this request and activates Face ID.
  • If your face matches, your iPhone tells the website who you are,
    And it confirmed your identity.

NO PASSWORD INCLUDE AT ANY TIME: The authentication is performed on your device, not on the website’s server. The web server trusts your iPhone to authenticate you in exactly the same way that you trust your phone’s payment terminals for Apple Pay transactions.

Apple supports the standard

We first got one example of how this works on Apple devices in 2019. Then Apple officially confirmed that it would support the FIDO standard the following year.

It is also supported by other tech giants, such as Amazon, Arm, Facebook, Google, Intel, Microsoft and Samsung. And to make it clear that even financial services companies are satisfied with the approach’s security, FIDO’s board members include American Express, ING, Mastercard, Paypal, Visa and Wells Fargo.

A proposed update to the standard makes life easier by allowing an Apple device to authenticate another device via Bluetooth. In other words, if you’ve already used FIDO to sign into a website on your iPhone, it will also sign you in on your Mac if it’s within Bluetooth range. Apple’s implementation of this feature calls Passkeys in iCloud Keychain. This is only a suggestion at this point, but Apple, Google, and Microsoft all plan to support it.

lock problem

But as fast company Reports, there is currently nothing in the standard that allows switching between ecosystems. Passkeys are stored on your devices (and in the cloud, if this feature is confirmed), which is a problem if you want to switch from an iPhone to an Android phone, or vice versa.

The current FIDO proposal does not contain a mechanism for bulk transfer of passkeys between ecosystems. If you want to switch from an Android phone to an iPhone – or vice versa – you won’t be able to easily transfer all your passkeys.

“We don’t have a bulk export method at the moment,” says Andrew Shekiar, CEO of FIDO Alliance. “I think this will likely be a repeat in the future.”

By contrast, the tangible nature of passwords makes conveying them fairly easy. Major web browsers can import passwords from other browsers with just a few clicks, and most password managers can download users’ logins to a .csv spreadsheet, allowing users to manually upload them to a competing service.

Or, alternatively, you can only do it with one passkey at a time, which is pretty tedious.

In theory, this is a simple problem to solve: just allow passkeys to be exported and imported the same way passwords can be today. But given that FIDO is meant to be more secure than passwords, the Alliance is reluctant to allow that.

The fear is that if users can easily transfer all their passkeys between providers, hackers may try to exploit this possibility. At the moment, it is not clear when or how FIDO can address this issue.

“It’s very difficult to do it securely from the start, because if we introduce a mechanism without much care of someone to export all these keys, you know who will show up first for that,” says Srinivas. “It will not be the legitimate user.”

The most likely solution is to work with password managers such as 1Password and LastPass, as they will need a new role in a passwordless world. Both 1Password and Bitwarden are confident this will happen – but perhaps we shouldn’t expect it when FIDO first launches, either late this year or early next.

Photo: Nilay Patel/Unsplash

FTC: We use affiliate links to earn income. more.


Check out 9to5Mac on YouTube for more Apple news: