The Pre-Post-Password World is Getting… Complex
Passwords are, well, terrible. At least, that’s just about what every IT security expert thinks. Users forget them a lot (half of Americans say they have to reset their passwords more than 5 times a month), they’re insecure (“111111”), and they’re time-consuming (we spend 11 hours a year typing them).
Kicking Passwords While They’re Down
So it’s a good thing that earlier this month Apple, Google, and Microsoft jointly announced their intention to start supporting FIDO (“Fast Identity Online”) passkey authentication on all of their browsers, platforms, and operating systems before the end of 2022. It’s been a long time coming since all three are part of the FIDO Alliance (an international who’s who of orgs, agencies, and institutions that really don’t want to have to keep paying over a million dollars a year to reset all of our passwords) and have been individually moving towards what Apple called “the post-password world.”
That’s still a ways away though. In the meantime, we’ll all be stuck in the pre-post-password world. Gartner Research estimates that the majority of all authentication will still rely on passwords by 2025. That means in this pre-post-password world of ours, FIDO-backed passkey tech will just be one more way for users to log in. And users already have a lot of ways to log in.
“In the meantime, tech companies will need to maintain both passwordless and password-based login schemes. In its new white paper and elsewhere, FIDO is working to support this transition, but as with any other tech migration (ahem, Windows XP), the road will inevitably prove arduous.”
– Lily Hay Newman, Wired
But before we even get into that, you might be asking yourself, “Uh, what is a passkey?”
WebAuthn and Passkeys
It starts with an authentication standard called WebAuthn (“Web Authentication”). Under the hood, WebAuthn is leveraging two factors of authentication. The first factor is “something you have.” In this case, that’s a private key (stored locally on your device) that’s used in combination with a public key (on a website’s server) to validate your identity. The second factor is “something you are,” or biometrics (you might use security keys instead, especially if you’re not on a mobile device).
From the point of view of the average user trying to log in to an app or service that supports the WebAuthn standard, the whole process would seem a lot like plain old biometrics because the public-key cryptography happens behind the scenes. FIDO’s proposed passkeys are a lot like WebAuthn, except they’re multi-device. That’s what makes them such a big deal and why they’re being touted as password killers. Again, nobody expects passkeys to dethrone passwords immediately, but that’s what’s going to make the pre-post-password world so complex for the enterprises who have to live in it.
“The Reports of My Death Are Greatly Exaggerated” – Passwords
When Apple, Google, and Microsoft start to roll out passkey support later this year, software engineers will have to figure out how to implement them alongside the myriad of options users already have to choose from — that still use passwords.
In addition to vanilla email and password authentication, there’s SSO (single sign-on — think when you login into Facebook and you’re automatically logged into Instagram too because they’re both Meta products), federated authentication/social login (think when you log in to TikTok with your Apple ID), and other kinds of multi-factor authentication. These implementations aren’t just “one and done” processes for the software engineers who have to do it…
Passkey authentication won’t be static either. Especially in the beginning, as the rate of adoption accelerates and the technology is battle-tested by the users using it and the software engineers building on it.
But if you’re using the Onymos Access Feature you don’t have to worry about any of that stuff. Access is trusted by companies like Albertsons to protect sensitive patient data, personal information, and online accounts. It’s updated quarterly with the latest versions, bug fixes, and functionality from integrated third-party cloud providers (Apple, Azure, Facebook, and Google). That will include their passkey support. Plus, Access comes with email and password authentication too. Not to mention an optional database to store user information.
And it’s all configured for you, out of the box.
Try Onymos, and focus on building your tech innovations. We’ll keep you secure in the pre-post-password world.