Sikov - stock.adobe.com

Apple, Microsoft, Google expand FIDO2 passwordless support

Achieving true passwordless experiences begins with companies working together to adopt standards that enable customers to use multiple devices seamlessly, regardless of OS.

The move toward abandoning passwords is coming closer as Apple, Google and Microsoft announced plans to expand support for the Fast Identity Online Alliance's FIDO2 specification, enabling users to enroll in passwordless authentication with multiple devices across the three platforms.

Users will soon be able to use passwordless authentication in Android and iOS, Chrome, Edge and Safari browsers, and on desktops with Windows and macOS.

The FIDO2 specification, which became generally available in 2018, enables vendors to implement secure passwordless authentication in their products using Client to Authenticator Protocol (CTAP), which secures communication between external authenticators and the browser or application, and WebAuthn, an API that enables browsers and applications to use FIDO.

In 2019, Android certified FIDO support, followed by the major web browsers and culminating in iOS adoption in January 2020. Andrew Shikiar, executive director and chief marketing officer at FIDO Alliance, described the latter event as a milestone that sealed broad support for FIDO2 passwordless.

There was a hitch, however -- one that greatly hindered UX. Users needed to enroll each device and application separately on different OSes, a cumbersome process.

With their May 5 announcement, Apple, Google and Microsoft aim to eliminate that friction. Users can soon enroll one device and share credentials with any approved application or device. Shikiar said he envisions it as becoming as simple a process as Apple's iCloud Keychain, which can be shared between iOS devices.

The announcement means users can bootstrap devices across platforms. Just as easily as users can enroll an iPad via an iPhone, they can now follow a similar process for enrolling an Android, iOS or Windows device. And instead of a remembering yet another password, users would authenticate to their device with biometrics or an on-device PIN, and a FIDO passkey -- a cryptographic token -- would enable authentication to apps and services.

How it works

The three vendors will use a protocol called cloud-assisted Bluetooth Low Energy (caBLE), which has been available from Google since 2019, to communicate between iOS, Android and Windows devices. How it works is users place an enrolled and unenrolled device within proximity and approve the enrollment on the first device. Going forward, they use the second device's passwordless capabilities, e.g., Face ID or Windows Hello, to log in to the new device and its applications.

Instead of passwords, public cryptography via the passkey will handle secret sharing. Private keys remain on the devices, while the public keys are shared with the authenticating servers. The user produces an enrolled device and uses built-in biometrics to unlock the device and agrees to share the key pair with the new device.

This new process reduces reliance on passwords because users no longer need a password banked for recovery should something happen to one device, rather they can just use another enrolled device to log back in.

FIDO not only helps increase security and simplify UX, said Jack Poller, analyst at Enterprise Strategy Group, a division of TechTarget, but it also means that it's available to a wider range of people.

The consumer side of the equation is expected to result in pressure on employers as employees get used to a passwordless experience, Poller said. "The user will say, 'this makes my life easier' and want the same thing from their workplace."

Deployment timeline

Questions remain about when this capability will be brought to the public. According to the FIDO Alliance's Shikiar, functionality will be available in CTAP and WebAuthn over the next year and is already live in a beta version.

This leaves the onus on the companies to implement the changes.

"A lot of the hardware technology is there already in our hands. Laptops, tablets and smartphones all contain biometrics and cameras," Poller said. "It's just a matter of updating the software, which these three vendors all do fairly frequently."

Dig Deeper on Identity and access management