As Apple signed up as a board member, the Fido Alliance, an organization dedicated to removing the need for passwords, got a big boost last week. Fido stands for Fast Online IDentity.
Apple obviously wasn’t ready to immediately reveal its support, as tweets from a Fido Alliance conference were quickly deleted, but the news is official as of today.
‘ While that tweet did not stay up for a long time, Apple was added to the official website today as a board member alongside tech companies such as Amazon, Arm, Facebook Google, Intel, Microsoft and Samsung. A number of large-name financial companies are also members of the board, including American Express, ING, Mastercard, Paypal, Visa and Wells Fargo.
Problem with your passwords
For years I’ve been saying that the passwords are bad.
Unlike password managers, biometric authentication such as Face ID and Touch ID helps but there are still irritating number of times when you need to manually enter them.
Passwords are even worse for non-techies, who frequently stick to using the same password for almost every website, app and service out there–ensuring any of their other logins will be compromised as soon as any of them gets hacked. (In general, hackers check credentials from poorly secured websites and then use them on valuable ones.)
Why Fido Alliance wants passwords to be replaced
The suggestion from the Fido Alliance is that trusted devices should replace passwords. This would work much the same way Apple uses Apple devices for the two-factor authentication (2FA). If trying to sign in with your Apple ID to a new Apple device the company will send a code to a trusted device and you will enter the code.
This is an additional step with the Apple system but what the Fido Alliance needs is to substitute passwords for a similar approach to this-and you wouldn’t have to enter a code.
For example, if you’re trying to login to a website on your iPhone, you’d only enter your username, and then send an authentication request to one of your other registered devices, like an Apple Watch. You could just press for authorization. Likewise, you’d be able to approve it on your iPhone when you use a service on your Mac-and so on.
While that might sound like weaker security it is actually safe. Only one of your own trusted devices can make an authentication request, just like you, and only another of your own trusted devices can accept the request. The intruder who wants to impersonate you would need two of your trusted devices to be physically possessed, and signed in to both. They’d need your iPhone and its passcode, and your Mac and its password, for example.
Although Apple’s system is restricted to its own devices, the alliance requires all manufacturers to sign in to this approach so you would also be able to allow access to an Android smartphone, Android tablet, Chromebook, Windows PC or any other trusted device.
Nok Nok Labs, another member of the board of the Fido Alliance, also provides an SDK for the Apple Watch.
Once we finally move beyond passwords there is much more work to be done. Any website–or at least any web and app authentication system–would basically need to sign in. But the lending of Apple’s weight should do a lot to increase interest.