Apple, Google and Microsoft announced Thursday that they planned to expand support for a common standard created by the FIDO Alliance and the World Wide Web Consortium that does not require a password to sign in.
“This will simplify sign-ins across devices, websites and applications no matter the platform — without the need for a single password,” wrote Sampath Srinivas, PM director of Secure Authentication at Google and president of the FIDO Alliance, in a blog.
WHY IT MATTERS
The FIDO Alliance – whose executive council comprises Srinivas along with representatives from Microsoft, Amazon, Intel, Thales and NTT DoCoMo – has been working toward a passwordless authentication protocol since 2012.
As noted in a joint press release, password-only authentication can create security issues that span industries – leading to account takeovers, data breaches and disrupted services.
“While password managers and legacy forms of two-factor authentication offer incremental improvements, there has been industry-wide collaboration to create sign-in technology that is more convenient and more secure,” said the companies.
Srinivas explained that the collaboration among Google, Apple and Microsoft means that a phone can store a FIDO credential called a passkey, which is used to unlock online website accounts or apps without a password.
“The passkey makes signing in far more secure, as it’s based on public key cryptography and is only shown to your online account when you unlock your phone,” said Srinivas. “To sign into a website on your computer, you’ll just need your phone nearby and you’ll simply be prompted to unlock it for access.
“Once you’ve done this, you won’t need your phone again and you can sign in by just unlocking your computer. Even if you lose your phone, your passkeys will securely sync to your new phone from cloud backup, allowing you to pick up right where your old device left off,” Srinivas continued.
The capabilities are expected to become available across Apple, Google and Microsoft platforms over the course of the coming year.
“The complete shift to a passwordless world will begin with consumers making it a natural part of their lives. Any viable solution must be safer, easier and faster than the passwords and legacy multi-factor authentication methods used today,” said Alex Simons, corporate vice president of Identity Program Management at Microsoft, in a statement.
“By working together as a community across platforms, we can at last achieve this vision and make significant progress toward eliminating passwords,” Simons said. “We see a bright future for FIDO-based credentials in both consumer and enterprise scenarios and will continue to build support across Microsoft apps and services.”
Privacy and security experts cheered the decision, saying it will help enable best practices.
“At CISA, we are working to raise the cybersecurity baseline for all Americans. Today is an important milestone in the security journey to encourage built-in security best practices and help us move beyond passwords,” said Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency, in a statement.
“Cyber is a team sport, and we’re pleased to continue our collaboration,” said Easterly.
THE LARGER TREND
Although not specifically geared toward healthcare, the passwordless strategies supported by Google, Microsoft and Apple have been used by some health systems to bolster their cybersecurity profile.
North York General Hospital, an academic medical center in Toronto, has worked with Thales – whose head of consulting and industry relations, Alain Martin, serves as the FIDO Alliance’s treasurer – to provide hardware-based encryption technology and with IDENTOS to enable FIDO authentication.
And the need for a more powerful cyber defense strategy is self-evident. Phishing incidents have troubled health systems for years, allowing bad actors access to sensitive data – and poor password hygiene makes hackers’ jobs even easier.
ON THE RECORD
“Just as we design our products to be intuitive and capable, we also design them to be private and secure,” said Kurt Knight, Apple’s senior director of platform product marketing, in a statement.
“Working with the industry to establish new, more secure sign-in methods that offer better protection and eliminate the vulnerabilities of passwords is central to our commitment to building products that offer maximum security and a transparent user experience – all with the goal of keeping users ‘personal information safe,” Knight said.
Kat Jercich is senior editor of Healthcare IT News.
Healthcare IT News is a HIMSS Media publication.