Apple, Google and Microsoft have announced they will soon be supporting a method of authentication that avoids passwords, and instead will require users to unlock their smartphones in order to sign in to websites and online services. Although a world without passwords is years away – experts say the changes will help defeat many types of phishing attacks and ease the burden of passwords on internet users.

The big 3 tech giants are part of an industry-led effort to replace passwords. As passwords are easily forgotten, frequently stolen, and sometimes leaked or sold online, a true passworldless authentication method would be a great security benefit.

Apple, Google and Microsoft have been active contributors to a passwordless sign-in standard crafted by the Fast Identity Online (FIDO) Alliance and the World Wide Web Consortium (W3C). These groups have been working with hundreds of tech companies over the past ten years that are developing new login standards that work the same across different browsers and operating systems.

According to the FIDO alliance, users will be able to sign in to websites and services through the same action that they take to unlock their devices – which include methods like typing a PIN number or using a fingerprint or face scan.

“This new approach protects against phishing and sign-in will be radically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes sent over SMS,” the alliance wrote on May 5.

Sampath Srinivas, the director of security authentication at Google and president of the FIDO Alliance, said that under the new system your phone will store a FIDO credential called a “passkey” which is used to unlock your online account.

“The passkey makes signing in far more secure, as it’s based on public key cryptography and is only shown to your online account when you unlock your phone,” Srinivas wrote. “To sign into a website on your computer, you’ll just need your phone nearby and you’ll simply be prompted to unlock it for access. Once you’ve done this, you won’t need your phone again and you can sign in by just unlocking your computer.”

Apple, Google and Microsoft already supports these passwordless standards, but users need to sign in on every website to use their functionalities. Under this new standard, users can automatically access their passkey on many of their devices without have to re-enroll every account – and use their mobile device to sign into an app or website on a nearby device.

Johannes Ullrich, dean of research for the SANS Technology Institute, called the announcement “by far the most promising effort to solve the authentication challenge.”

“The most important part of this standard is that it will not require users to buy a new device, but instead they may use devices they already own and know how to use as authenticators,” Ullrich continued.

Steve Bellovin, a computer science professor at Columbia University and an early internet researcher and pioneer referred to this effort as a “huge advance” in authentication, but said it will take a very long time for many websites to catch up.

Bellovin and others worry about one particular caveat that could present itself in this passwordless authentication scheme: What if someone loses or breaks their phone?

“I worry about people who can’t afford an extra device, or can’t easily replace a broken or stolen device,” Bellovin said. “I worry about forgotten password recovery for cloud accounts.”

In response to this concern, Google says that if you lose your phone, “your passkeys will securely sync to your new phone from cloud backup, allowing you to pick up right where your old device left off.”

Apple and Microsoft also have cloud backup solutions where users could recover from a lost mobile device. However, Bellovin said much depends on how securely said cloud systems are administered.

“How easy is it to add another device’s public key to an account, without authorization? I think their protocols make it impossible, but others disagree” said Bellovin.

Nicholas Weaver, who is a lecturer in the Computer Science department at the University of California, Berkeley, says that websites still have to have some recovery mechanisms in place for a scenario in which a phone and a password had been lost. Weaver describes it as a “really hard problem to do securely and already one of the biggest weaknesses in our current system.”

Weaver continued that “If you forget the password and lose your phone and can recover it, now this is a huge target for attackers. If you forget the password and lose your phone and CAN’T, well, now you’ve lost your authorization token that is used for logging in. It is going to have to be the latter. Apple has the infrastructure in place to support it (iCloud keychain), but it is unclear if Google does.”

Even so, Weaver says that the overall FIDO approach has been a great tool for improving both security and usability.

“It is a really, really good step forward, and I’m delighted to see this,” Weaver said. “Taking advantage of the phone’s strong authentication of the phone owner (if you have a decent passcode) is quite nice. And at least for the iPhone you can make this robust even to phone compromise, as it is the secure enclave that would handle this and the secure enclave doesn’t trust the host operating system.”

The 3 big tech giants said that the new passwordless capabilities will be enabled across their platforms over the course of the coming year. Experts warn that it will likely take several years for smaller websites and apps to adopt this technology and ditch passwords altogether.

Research shows that too many users still reuse and recycle passwords, which presents a significant risk of one’s account being breached. Cybersecurity firm SpyCloud found that 64 percent of users reuse passwords for multiple accounts, and that 70 percent of credentials compromised in previous breaches are still being used.  This new form of authentication could dramatically reduce the number of accounts being breached.

Story via Krebs on Security