Apple joins FIDO Alliance, commits to getting rid of passwords

Passwords are a notorious security mess. The FIDO Alliance wants to replace them with better, more secure technology and now Apple is it them in this effort.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

We all use passwords. We also all suck at using them. 81% of all hacking-based security breaches can be traced back to poor passwords. So, it is that the FIDO Alliance has been seeking to replace password-only logins with secure and fast login experiences across websites and apps using the emerging standard WebAuthn Their efforts have been supported by nearly all major technology and e-commerce companies with one major exception: Apple. Now, Apple has joined FIDO.

"Passwords are like the cockroaches of the internet and companies have been trying to kill them off for years," said Merritt Maxim, Forrester Research principal security analyst in a CNBC interview. WebAuth, is a specification written by the W3C and FIDO. Its application programming interface (API) allows servers to register and authenticate users using public key cryptography instead of a password.

But Apple has always stayed a step away from the FIDO Alliance's efforts to get rid of them. Recently, that's been changing. 

In 2018, Apple's WebKit browser team added 'experimental support' for WebAuthn. By December 2019. Apple adds native support for FIDO-compliant security keys, like the YubiKey, using the WebAuthn standard over near-field communication (NFC), USB, or Lightning in iOS 13.3.

This works because WebAuthn enables users to register and authenticate on websites or mobile apps using a public key cryptographic "authenticator" instead of a password. This can be a hardware security key, like those from Yubico; a biometric ID derived from your PC or smartphone's fingerprint sensor, or a device-based authentication program. 

The dumbest passwords people still use

Apple still trails other companies. Rolf Lindemann, co-chair of FIDO's Security Requirements Working Group, explained, "Currently, there is full FIDO support in three major platforms: Google Android and Chrome, Microsoft Windows and Edge, and Mozilla Firefox." While third-party security and authentication programs, such as the Nok Nok S3 Suite, supported WebAuthn logins on mobile Apps on iOS and Apple Watch Apps, "some organizations have been hesitant to deploy FIDO because there was no [major] public commitment from Apple to FIDO. Now with the addition of Apple, all major platform vendors in the FIDO Alliance prove that the world is finally ready for this technology."

Lindemann believes that now that Apple is getting a first-hand look into where FIDO is heading, it can help direct it. This will "result in support for passwordless authentication that best fits the Apple ecosystem."

Hopefully, now that Apple, a major player in the mobile space, has committed publicly to supporting FIDO and WebAuthn, we can finally start taking a step forward in putting passwords into the grave. Their day as a serious way of securing your information is long done.

Related Stories:

Editorial standards