Apple, Google and Microsoft have agreed a joint program to boost passwordless sign-ins. They’ll give greater support to the FIDO Alliance standard.
The idea is to almost completely remove the need to use any passwords, sidestepping the trade-off between security and convenience. At the moment FIDO often requires users to type in a password the first time they sign in to a new app or service.
The idea of the cross-platform support is that a phone becomes the sole tool needed for sign-in. It would still be multi-factor authentication, with the two factors being physical possession of the device and either biometrics to unlock the phone, or knowledge of the phone’s login code.
The system also uses Bluetooth (which could limit it on older computers) but not to transfer any secure data. Instead, it’s to check the phone is near the device on which the user is trying to login to a secure account or site. That’s designed to further reduce the risk of phishing scams.
Microsoft’s Vasu Jakkal told The Verge that the cross-platform support was key: “For example, users can sign-in on a Google Chrome browser that’s running on Microsoft Windows—using a passkey on an Apple device.”
The phone would store a passkey, which is shared with websites and apps during a login. This passkey would be part of the usual device backup, meaning it could be transferred when the user got a new phone.