The move to simultaneously simplify and enhance security has been a long time coming.
We’ve said it before: passwords are a terrible way to protect your business accounts.
Microsoft, Apple, and Google all agree— and they’re finally going to work together to do something about it.
This is going to be a pretty big shift once it arrives, and with the Big 3 involved, there’s every reason to believe this new system could become the new standard across most of your accounts and business services.
And that’s very good news!
Here’s what you need to know about this coming change: what it is, when it will roll out, and how to prepare.
The Problem with Passwords
We won’t go too deep here because we’ve talked about it so often already, but the short version is this: passwords are awful. They’re hard to remember and easy to steal or crack. They lead to all sorts of security breaches, data theft, and more: as many as 81 percent of data breaches are due to weak or stolen passwords.
And people tend to reuse passwords across multiple sites — even if they know not to. So once a set of credentials is stolen, it could open up illegitimate access to dozens of sites.
The old username + password system needs to go, and promises of something better and more secure have been around for a long time, too. The recent joint announcement from three of the biggest names in tech just may be the password’s death knell.
What It Is: A Unified Passkey
The three companies have agreed on a well-documented new standard for logging in, called a passkey. In addition to commitments from Microsoft, Apple, and Google, this cross-platform and cross-service passkey approach has the approval of the FIDO Alliance and the World Wide Web Consortium. Those organizations aren’t exactly household names, but they’re massively influential — so their support matters.
So what’s a passkey?
A passkey is a way of establishing a person’s identity or credentials using their smartphone. You already unlock your smartphone dozens of times per day, and most of us use face recognition or a fingerprint to do so. Both of those are way more secure and hard to hack than alphanumeric passwords.
Through the use of Bluetooth and lots of behind-the-scenes tech, this new passkey standard will allow your phone to establish your identity and send that information to whatever platform or service you’re logging into.
Crucially, this new passkey system will work across devices, platforms, operating systems, and services. Once your identity is established, it will stay that way for a period of time, even if you switch devices, browsers, and so on.
It’s also phishing-proof: because users must have their phone near a device to authenticate with it, hackers can’t spoof logins like they can today.
Isn’t this just MFA or passwordless?
At first glance, this new system sounds a lot like multifactor authentication (MFA) or passwordless. These technologies are better than a password alone, but they still have issues. For one, some hackers can now intercept those one-time codes MFA keeps texting you. (It’s not common, but it does happen.) MFA systems can end up locking you out if you lose access to your phone or authenticator or fob. And attempts to resolve both of these issues get complicated (and expensive) — and ultimately still rely on an insecure password as a backup.
Also, MFA doesn’t work across devices and platforms, so you keep getting punted back to login screens.
Passkey manages to solve all of these issues, providing a safer, more secure login experience that’s truly, actually passwordless.
When Does This New System Arrive?
The Big 3 haven’t given a clear timetable, but it seems like late 2022 at this point.
How To Get Prepared for a True Passwordless Future
For now, it’s a waiting game. Just make sure you’re following good password (or multifactor or passwordless) practices until then. As the new protocol rolls out, there will be a learning curve and transition period — and we’re here to help you through that with whatever support you need.