Go ahead and post your favorite passwords in the comments; you won’t need them anymore
This might sound a little weird if you haven’t followed the development of sign-in standards over recent years, but Google has just announced that passwordless security is coming to Android and Chrome over the next year. That means signing into a secure account from a website or app will be as simple as unlocking your phone — and more secure than using a password.
I know this sounds a little weird to think about, and not using a password seems like it would introduce other issues, but it’s still secure in a fundamental way. Plus, passwords are pretty dumb when you think about them.
Passwords suck
If you don’t use a password, odds are you’ve succumbed to at least some password re-use between services, and that means a security vulnerability at one venue can easily spread to compromise multiple accounts. On top of that, you have to come up with a password — according to a recent survey by Google of 4,000 Americans, 19% say they’ve used a “common” easily-guessed password like 123456 or “Password.” Even when the stakes are high, people can be pretty stupid without realizing the true risk. And if you do use a password manager, how often do you change them? Google says 60% of Americans only swap passwords when they have to. And this is all ignoring their susceptibility to things like phishing attacks, keyloggers, and all sorts of other vulnerabilities.
When you get down to it, passwords aren’t great at what they’re supposed to do. So, why not get rid of them? That’s been a dream for security and one of the goals of the FIDO alliance: A better replacement for passwords.
People familiar with how two-factor authentication works in broad strokes probably already understand how passwordless authentication builds upon it. If not, just think in a chain-of-trust way, where you know you can trust certain devices because they’re already logged in. Rather than only relying on something you know — which can be shared, phished, or distributed through other means — passwordless authentication through systems like FIDO2 rely on something you have to prove you are you. Google’s opting to use your phone, according to the announcement (though it could probably also use other things, like some hardware 2FA security keys that support FIDO2 passwordless authentication).
Don’t you guys have phones?
We’ve all got a phone somewhere unless you’re an actual troglodyte, and that’s almost certainly tied to all your personal accounts. Google can use that phone to authenticate future logins. Replacing the password itself is the process of unlocking your phone, using something like a PIN, biometrics, or a password there (the latter, admittedly, defeating the purpose and convenience a little). You might think that this sounds less secure. After all, we’ve had it drilled into our heads for years that longer and more complicated is better, and isn’t a password more complicated than a few numbers? And you can change a password, but you can’t change your fingerprint.
It certainly seems less secure. But the truth is, none of that actually has an impact. No one is stealing your PIN and using it to log in from a computer in Russia; they need your phone for it to work. Being simpler isn’t a point against it. Passwordless autentication just makes things even more convenient while still being more secure than a password alone. And this way, there’s no complicated password to remember and no extra password manager to interface with. Your phone is a simple and safe bet.
A great diagram by Microsoft showing the relative security and convenience of different authentication methods.
As in the case of a hardware two-factor key, most phones can store a cryptographic key securely. Through the mathemagic of public-key cryptography, a stored passkey can be associated with your account, and the phone verified as tied to you. That way, when you go to sign in, Google can ping the phone, and a quick unlock proves that a) you’re the person tied to that phone since you were able to unlock it through a secure mechanism, and b) the login attempt is valid. When it comes to the logic of this operation, the only real change is dropping the password itself as a requirement, though there were other technical hurdles to clear. For example, FIDO2 has prerequisites like the WebAuthn API to work in browsers, and support for that needed to be rolled out widely first. Chrome picked it up back in 2018.
Coming soon, and already here
The idea of passwordless security may sound revolutionary, but it’s not that new. Yubico’s 5 series hardware security keys have supported passwordless FIDO2 since 2018. Last year, Microsoft rolled out support for passwordless authentication, and it even offers the option to disable your account’s password entirely. Google helped pioneer the idea of passwordless security as part of the FIDO alliance, and according to Microsoft, Chrome already has support on some platforms for passwordless authentication via FIDO2, though it hasn’t worked on mobile (yet). But, now that any lingering prerequisites are in place — the browsers we use support the right standards, phones (including iPhones) can store the keys required safely — Google has decided that it’s time.
You can keep using a hardware 2FA key if you want to, though.
A precise schedule for passwordless support in Android and Chrome wasn’t shared. I think Google just wanted to use Password Day to let people know that support is coming as part of a joint announcement with other participating companies. While Microsoft has arguably already been on this bandwagon for a while, it’s also part of today’s announcement. Apple is also joining in today with its own commitment — no huge surprise, given iOS 15, iCloud, and macOS 12 Monterrey support Apple’s Passkeys feature as a preview.
Two-factor authentication is already pretty secure — especially if you’re using the big-boy version with a hardware security key or an app-based generator rather than SMS messages — but the lack of convenience has prevented some folk from adopting it. Being secure doesn’t mean it’s easy to use, and I’d argue that carrying around a dedicated hardware key is actually pretty complicated. Passwordless support brings that same level of security with a convenience and simplicity anyone can use, better encouraging adoption. With 37% of survey respondents claiming they’ve been the victims of a compromised account, the death of the password may be one of the best things that has ever happened to us.