A trio of tech giants want you to phone in your next password. No, not by falling back to some easily-memorized password, but by using your smartphone to log you into another nearby device of yours, such as your laptop. Google has announced that it would support a passwordless sign-on system in the Android and Chrome operating systems. In addition, Apple and Microsoft said they will do the same in their operating systems and browsers. That will allow you to mix and match platforms—say, using an Android phone to whisk you into an account in Safari on a Mac, or an iPhone to log in on Edge on a Windows PC. It will work a bit like a USB security key does now for a laptop or desktop, except that where those compact fobs from Yubico and others still expect you to type in your password first on that device, here unlocking your phone near the other computer will suffice. These joint announcements on World Password Day (one of the worst celebrations of bureaucratic annoyance, after Tax Day), builds on earlier moves to eliminate the password as the primary defense for an account. In this new passwordless world, you might still create an account with a traditional username and password, but associating that account with your (properly secured) smartphone will take the place of the traditional string of characters. “In the past, our logins would be passwordless in certain situations, but you couldn’t really get rid of the password,” says Sam Srinivas, director of authentication security at Google. [Image: courtesy of Google]There’s an obvious benefit to not having to remember a password (or the master password to the password manager that you should be using). The less obvious upgrade: This passwordless architecture, like USB security keys, is phishing resistant. Your phone will ignore requests from a fake site for the cryptographically secure passkey that authenticates you at the real site, just as a USB security key will disregard lookalike fake pages that could fool a human. If an attacker somehow obtains the original password to an account or steals a computer on which that login is saved, tricking you into letting them in with a tap of a notification prompt on your phone won’t work. “This is MFA done right,” says Srinivas, who doubles as president of FIDO Alliance, an industry group that develops post-password security standards. “It’s only going to work if you’re right next to the computer”—as verified with Bluetooth short-range wireless. USB security keys were an earlier product of FIDO, short for “Fast IDentity Online.” While they also can’t be remotely exploited, they cost extra, usually starting at $20, and require their own separate enrollment before use. They’re also yet another small object to remember—and then maybe to lose. “When we started on this journey with FIDO, physical proximity was the magic touch,” says Christiaan Brand, senior product manager at Google. “With this particular piece of technology, we’re bringing that back in.” But giving your smartphone an even bigger security rule also increases the risk attached to its loss or theft. An attacker who could defeat its biometrics or guess your screen-unlock code or pattern might be in a position to start rolling up all your accounts, although that’s also a risk with mobile password-manager apps. (Reminder: Reusing passwords—a bad habit that people repeatedly admit to indulging—all but guarantees that the compromise of one account, perhaps in a data breach, will only endanger others.) Losing a smartphone definitely risks inconvenience, although the passkeys saved on it are synced automatically and securely (and, Srinivas clarified, aren’t subject to backup-storage quotas). Until you get a new phone and restore that from backup, for example, signing into a new device won’t work unless you have a backup authentication method handy. But that, too, is the case if you lose a phone you’ve used as a second authentication factor or on which you run a password manager. Srinivas says he continues to recommend using separate USB security keys “for extremely sensitive situations” (think accounts that are core to a highly visible online identity or which offer control of large sums of money). For that matter, Google itself is not ready to ditch passwords in its account-creation flow, and Srinivas says he expects that to continue “for a few more tomorrows.” But even if today’s news falls short of its promise (and we’ve all bought into the false hype before), a login experience that is not so much passwordless but does qualify as password-light would still rank as an upgrade. “The password is fundamentally phishable,” says Srinivas.
Connectez-vous pour ajouter un commentaire
Autres messages de ce groupe
Now that the “100 men vs. one gorilla” debate has been settled, a new question is circulati
The rideshare market has reached a crossroads. Autonomous vehicles are on the rise, driver unrest is mounting, and customers are questioning everything from pricing to trust and safety. In the mid
A group backed by tech billionaires spent years and $800 million secretly buying up over 60,
Move aside, Google Maps: Snapchat’s Snap Map has hit a major milestone with 400 million monthly active users.
Launched in 2017, Snap Map began as a GPS-based feature that allowed users t
In April 2024, Yahoo acquired Artifact, a tool that uses AI to recommend news to readers. Yahoo folded Artifact’s—which was cofounded by Instagram cofounders Mike Krieger and Kevin Systrom—into it
It is hard to believe that in 2025, we are still dialing to schedule doctor appointments, get referrals, refill prescriptions, confirm office hours and addresses, and handle many other healthcare
Email: It’s one of the more evil of the necessary evils. We all spend a significant chunk of our days wading through messages, to the point that it can feel like a never-ending task. Save us, arti
