The prospect of a world without passwords can’t come soon enough for me, but a problem has been raised with the FIDO standard designed to eliminate the need for them. Namely, that abandoning passwords could make it harder to switch between ecosystems.
If you have your passkeys setup for Apple devices, there is nothing in the standard allowing you to transfer them to an Android device, or vice versa…
A world without passwords
A world without passwords is the mission of the FIDO Alliance (Fast IDentity Online).
Currently, to log in to a website or app, we usually enter a username and a password. We’ve been arguing for years that passwords are a pretty horrible approach to security – and getting even more so with each additional service we use. Security questions as a crude form of two-factor authentication is an even bigger mess.
What FIDO does is instead allow our device to authenticate us. The logic is this (using an iPhone with Face ID as an example):
- A website or app asks you to identify yourself, and prove your identity.
- Your iPhone receives that request, and activates Face ID.
- If your face matches, your iPhone tells the website who you are,
and that it has confirmed your identity.
At no point is there a password involved: Authentication is performed on your device, not on the website server. The web server trusts your iPhone to authenticate you in exactly the same way that payment terminals trust your phone for Apple Pay transactions.
Apple supports the standard
We first got to see one example of how this could work on Apple devices back in 2019. Apple then officially confirmed it would support the FIDO standard the following year.
It is also supported by other tech giants, such as Amazon, Arm, Facebook, Google, Intel, Microsoft, and Samsung. And to illustrate that even financial services companies are happy with the security of the approach, FIDO board members include American Express, ING, Mastercard, Paypal, Visa, and Wells Fargo.
A proposed update to the standard makes life even easier by allowing one Apple device to authenticate another, via Bluetooth. In other words, if you have already used FIDO to log in to a website on your iPhone, it would also log you in on your Mac if it is within the Bluetooth range. Apple calls its implementation of this feature Passkeys in iCloud Keychain. This is just a proposal at this point, but Apple, Google, and Microsoft all plan to support it.
The lock-in problem
However, as Fast Company reports, there is currently nothing in the standard to allow switching between ecosystems. Passkeys are stored on your devices (and in the cloud, if that feature is confirmed), which is a problem if you wanted to switch from an iPhone to an Android phone, or vice versa.
FIDO’s current proposal has no mechanism for bulk-transferring passkeys between ecosystems. If you want to switch from an Android phone to an iPhone — or vice versa — you won’t be able to easily move all your passkeys over.
“We don’t really have a batch export method right now,” says FIDO Alliance executive director Andrew Shikiar. “I think that’s probably a future iteration.”
By contrast, the tangible nature of passwords makes them fairly easy to transfer. Major web browsers can import passwords from other browsers with just a couple of clicks, and most password managers can download users’ logins to a .csv spreadsheet, letting users manually upload them to a competing service.
Or, rather, you can only do it one passkey at a time, which would be massively tedious.
In theory, this is a simple problem to solve: just allow passkeys to be exported and imported in the same way passwords can be today. But given that FIDO is meant to be more secure than passwords, the alliance is reluctant to allow that.
The fear is that if users can easily move all their passkeys between providers, hackers may try to exploit this capability. For now, it’s unclear when or how FIDO might address that problem.
“It’s very hard to do it safely from the get-go, because if we give a mechanism without great care for someone to export all these keys, you know who’s going to show up first for that,” Srinivas says. “It’s not going to be the legitimate user.”
The most likely solution is to work with password manager companies like 1Password and LastPass, as they would be in need of a new role in a passwordless world. Both 1Password and Bitwarden are confident that this will happen – but we probably shouldn’t expect it when FIDO first launches, either late this year or early next.
Photo: Nilay Patel / Unsplash
FTC: We use income earning auto affiliate links. The sea.
Check out 9to5Mac on YouTube for more Apple news:
Friendly communicator. Music maven. Explorer. Pop culture trailblazer. Social media practitioner.