Andrew Shikiar, executive director and CMO, FIDO Alliance
World Password Day was created in 2013 to help people better secure their accounts by providing tips for better password hygiene: don’t reuse passwords; use a complex, random string of letters, numbers and characters; use a password manager. At the time of its inception the intentions of this day were positive and necessary as we didn’t have more secure consumer-friendly alternatives readily available.
Technology and best practices have changed over the years and many now use World Password Day to encourage users to level-up their account security by enabling multi-factor authentication. This is certainly a best practice for password-based logins, but falls short of addressing the evolving threat landscape which has commercialized the ability for hackers to bypass legacy forms of MFA.
What we ultimately need is widespread availability of passwordless sign-in technology that is more convenient and more secure – and we have that today with FIDO Authentication, which is already supported in over 90% of web browsers and virtually every modern handset and computing device.
In March of this year the FIDO Alliance shared its vision to make FIDO Authentication even more widely available and consumer-ready through the advent of multi-device FIDO credentials (referred to by some as “passkeys”).
Today, as an evolution of this announcement, FIDO Alliance is excited to share that Apple, Google and Microsoft are aligned with this vision and will be implementing multi-device FIDO credentials in their respective platforms. Read the press release for more details.
From a user experience standpoint, this will be very similar to how one interacts with a password manager today to help them securely enroll and sign into websites – only it will be far more secure as the process will issue a FIDO keypair instead of a password.
From a service provider perspective, the availability of multi-device FIDO credentials will join the ongoing and growing utilization of security keys to allow for a full range of options for deploying modern, phishing-resistant authentication.
In addition to facilitating a better user experience, the broad support of this standards-based approach will enable service providers to offer FIDO credentials without needing passwords as an alternative sign-in or account recovery method. This is a critical step in helping the industry at large break its dependence on the passwords and other knowledge-based credentials which to this day are the cause of over 80% of data breaches.
I am often asked when the industry will be able to get rid of passwords – to which I respond that the path towards passwordless is a journey and not a sprint. That being said, the first step on the password-less journey is to use less passwords – which is embodied by the commitment made today by the world’s largest platform providers. While “Less Passwords Day” doesn’t roll off the tongue as well as “World Password Day,” it certainly is a day worth celebrating!