A connection process without a password will allow users to use their smartphone to authenticate themselves on all compatible applications. You will no longer need to create or enter a password at any time. A first.
How does it work ?
You will have to start by choosing an authentication system on your smartphone to enroll. This can be based on a biometric process such as facial recognition or a fingerprint, a PIN code, or even the drawing of a pattern. The Fido authenticator will be unlocked when you activate this system on your smartphone. An encrypted key pair will then be created. The first, private, will be kept by the device. The second, called public, will be stored by the service and associated with your account.
Thereafter, each time you connect, a message signed with the private key will be sent to the service which will validate it with its public key and you will thus be able to access the application.
If the Fido standard has not been adopted more massively since its first version in 2014, it is because there were a few obstacles that made the user journey still too complex. A password still had to be created to enroll. Another constraint, repeat the procedure on each new device.
What’s new is that Fido authentication will be accessible regardless of operating system or browser. And that it will be possible to enroll a new device via Bluetooth using another nearby terminal that already has the credentials.
It will therefore be possible to easily switch from an iPhone to an Android device, for example. “Users can sign in on a Google Chrome browser running on Microsoft Windows, using a password on an Apple device”summarized for The Verge Vasu Jakkal, Microsoft’s vice president for security, compliance, identity, and privacy.
Also see video:
For tech giants, there would only be advantages to adopting Fido. Besides its simplicity, it is also a safer way to authenticate. This will avoid that some use the same password for all their services or combinations that are too weak. Fido finally makes it possible to fight against phishing and to avoid having to resort to authentication by SMS, which can be hijacked.
Source: Google, Apple, The Verge