There’s a big problem with Apple and Google’s plans to nix passwords

By Jared Newman

May 27, 2022

Apple, Google, and Microsoft have big plans to eliminate the password.

Working with a standards group called the FIDO Alliance, all three companies are backing a system in which your phone or computer signs you into all your online accounts automatically, using on-device face detection or fingerprint recognition to verify your identity. Think of it like having a password manager, but without the actual passwords.

News of the password’s potential demise has yielded a lot of enthusiastic coverage in recent weeks, and for an understandable reason: Too many people use the same weak passwords everywhere, leaving themselves open to serious security risks. Eliminating passwords outright is a way of protecting people from themselves.

But the push to make passwords obsolete could also have consequences: By handing over your digital passkeys to Apple, Microsoft, and Google, you’re making it easier for those companies to trap you inside their respective ecosystems. For now, the FIDO Alliance has no specific solutions for the lock-in problem it’s helping to create.

How passwordless systems will work

FIDO’s proposal is technically called “multi-device FIDO credential,” but the big tech companies are colloquially referring to it as “passkey.” The idea is that when you unlock your phone with your face or fingerprint, you’ve effectively proven who you are, so you should also be able to log into other apps and websites without any prompts.

Imagine, for instance, that want to create a Twitter account. Rather than making you set up a password inside the Twitter app, your phone will generate a hidden passkey and store it securely on the device. Twitter itself never learns or stores the passkey; instead, it receives a credential from your phone that verifies your identity and lets you log in.

The benefits of this approach are twofold: You don’t have to remember new passwords for every app or learn to use a password manager, and the app or website doesn’t have to worry about losing users’ passwords in a security breach.

“We want people to get passwords off of their servers,” says Andrew Shikiar, the FIDO Alliance’s executive director.

FIDO passkeys needn’t be bounded to your phone, either. Apple and Google plan to sync passkeys through their own cloud services, so if you create a Twitter account on your iPhone and want to sign in on your Mac, you’ll get the same instant login experience, with the Mac’s fingerprint reader verifying your identity.

This multi-device approach is also how FIDO will address upgrading to a new device or replacing a lost one. When you buy a new phone, you’ll be able to use the old one or your computer to sync passkeys over via Bluetooth. (That said, you may still need an actual password and backup authentication method for your Apple or Google account, at least in the near term, to avoid major headaches when replacing a lost device.)

All of this is fairly similar to how Apple’s and Google’s built-in password managers work today. Apple, for instance, can already create and store logins for you on iPhones and Macs, and can sync them through iCloud keychain. Google can do the same with Android phones and the Chrome browser. FIDO’s system just builds on these approaches by taking the actual passwords out of the equation.

“It provides a password manager-like experience, or a browser stored-like experience, but instead of issuing incumbent passwords, it’s issuing FIDO keypairs,” Shikiar says.

No way out (yet)

As anyone who uses a password manager will tell you, not having to think about passwords can feel liberating. But by eliminating them outright, FIDO’s proposal risks putting even more control over users’ digital lives in the hands of just a few major tech companies.

FIDO’s current proposal has no mechanism for bulk-transferring passkeys between ecosystems. If you want to switch from an Android phone to an iPhone—or vice versa—you won’t be able to easily move all your passkeys over.

“We don’t really have a batch export method right now,” Shikiar says. “I think that’s probably a future iteration.”

By contrast, the tangible nature of passwords makes them fairly easy to transfer. Major web browsers can import passwords from other browsers with just a couple of clicks, and most password managers can download users’ logins to a .csv spreadsheet, letting users manually upload them to a competing service.

FIDO does plan to let users copy passkeys one at a time, so if you create an account with an iPhone and want to login on a Windows PC, Microsoft can create its own passkey for that service once you’ve authenticated through your phone. Still, moving passkeys one-by-one won’t be feasible for users who want to leave a particular ecosystem and have saved up dozens or hundreds of logins.

Sam Srinivas, Google’s product management director for secure authentication—who’s also the president of the FIDO Alliance—says that lock-in isn’t the goal, and that Google and other companies are interested in interoperability.

“The platforms do not want to be in a situation where lock-in is a long-term inhibitor for this change in the world, because this is hardly the intent,” he says. “The intent is to make the internet safer.”

Even so, FIDO and its partners are moving cautiously for security reasons. The fear is that if users can easily move all their passkeys between providers, hackers may try to exploit this capability. For now, it’s unclear when or how FIDO might address that problem.

“It’s very hard to do it safely from the get-go, because if we give a mechanism without great care for someone to export all these keys, you know who’s going to show up first for that,” Srinivas says. “It’s not going to be the legitimate user.”

Work in progress

One way to prevent a lock-in scenario would be to let third-party password managers such as Bitwarden and 1Password manage users’ passkeys. That way, users wouldn’t have to rely on Apple, Google, and Microsoft to manage their logins, and could easily move between platforms.

But even this would likely rely on support from big tech companies, which would have to allow password managers to integrate with their respective operating systems. They already do this to some extent today—you can use a third-party password manager to auto-fill passwords on iOS and Android—but the process isn’t quite as seamless as their built-in solutions, and accommodating passkeys will take additional work.

That may explain why password manager companies are getting involved in the process. Bitwarden is a longtime member of the FIDO Alliance already, and 1Password signed on earlier this month, hoping to steer FIDO in a direction that doesn’t leave users locked in.

“As we look to the future, it will be important that customers are given the choice of how they manage their online identities,” Jeff Shiner, 1Password’s CEO, says via email. “Our hope is to work alongside industry leaders like Apple, Google, and Microsoft in shaping what comes next and making it the best possible user experience, regardless of method.”

Gary Orenstein, the chief customer officer at Bitwarden, says he’s not fretting over a potentially passwordless future. He’s hopeful that the FIDO Alliance will eventually provide more passwordless options for users, and if major tech companies don’t end up prioritizing interoperability, he believes that will only help companies that do.

“I am optimistic about both the direction of passwordless and the convenience that it’s bringing to people, but I’m equally optimistic about the need for cross-platform solutions,” he says. “Those things combined work in Bitwarden’s favor.”

In the meantime, though, our passwordless future will get a bit messy. While Apple, Google, and Microsoft plan to embrace passwordless logins within the next year, getting individual apps and websites on board will be a multi-year effort. Along the way, users may end up with a smattering of logins scattered across different ecosystems, both with and without passwords attached, in some cases with no clear way to migrate them to other platforms.

The FIDO Alliance’s Andrew Shikiar says that’s just what has to happen if the password is truly going to die.

“I know it sounds a little hand-wavey to say, ‘Let’s let the market iterate,’ but I think that’s what needs to happen here,” he says. “This, like any technology, will need to come out, and it’ll have some success, and I suspect it’ll have some areas for improvement.”

 

(37)