Is the password really dead?

A new commitment from Google, Apple, and Microsoft promises the end of the password, but is the world ready for biometric scans and face IDs?

World Password Day - the first Thursday of every May – was created in 2013 to encourage the world to use strong and secure passwords.

This year, though, things have been rather different. Instead of the usual exhortations to avoid pets' names and keep changing passwords, major tech vendors are advocating abolishing passwords altogether.

FIDO standards

Google, Apple, and Microsoft have all pledged to implement passwordless sign-in across their mobile, desktop, and browser platforms – Android and Chrome; iOS, macOS and Safari; Windows and Edge – based on the FIDO Sign-in standards.

This means using the pattern-drawing, fingerprint, face scan, or indeed PIN on a user's phone that's normally used to unlock it.

"Your phone will store a FIDO credential called a passkey which is used to unlock your online account. The passkey makes signing in far more secure, as it’s based on public key cryptography and is only shown to your online account when you unlock your phone," explains Sampath Srinivas, PM director of secure authentication at Google and president of the FIDO Alliance.

"To sign into a website on your computer, you’ll just need your phone nearby and you’ll simply be prompted to unlock it for access. Once you’ve done this, you won’t need your phone again and you can sign in by just unlocking your computer,"

Sampath Srinivas said.

The truth is that passwords have done a poor job at protecting users – not least because they depend on sensible user behavior. Recent research has shown that the most popular passwords used by CEOs are '123456' and 'qwerty', and users further down the command chain are no more careful.

Meanwhile, the widespread practice of using the same password for multiple sites means there's a thriving criminal trade – last summer, indeed, a collection of passwords was leaked online containing 8.4 billion entries.

Industry adoption

The companies are expecting third-party app and website developers to adopt the new system, use APIs available in the browsers and operating systems.

"This new capability stands to usher in a new wave of low-friction FIDO implementations alongside the ongoing and growing utilization of security keys — giving service providers a full range of options for deploying modern, phishing-resistant authentication," says Andrew Shikiar, executive director and CMO of the FIDO Alliance.

There are some concerns around the reliance on a phone.

"Even if you lose your phone, your passkeys will securely sync to your new phone from cloud backup, allowing you to pick up right where your old device left off," says Srinivas.

However, there are questions about what happens in the event that a user loses both their phone and their password – something that the companies haven't made clear.

The system also depends on Bluetooth, which can be prone to connection problems, and it won't necessarily be suitable for older devices. It will take some time – and a fair amount of work – for the technology to be available on all devices and for website and app developers to take advantage of it.

In practice, these issues mean that adoption's likely to be slow and gradual. Passwords will still be around for many years yet.