Passwords are under attack in a war on multiple fronts. Just today, Microsoft announced the rollout of password-free login using its Microsoft Authenticator app while the digital security company Yubikey announced a new version of its USB security keys that forgo the need for passwords altogether. Neither of these will kill the password, but they are two more shots across the bow.
Microsoft’s new password-free login feature works through an app, much in the same way you might use Google Authenticator or text message-based two-factor authentication. Once you log into Microsoft’s app (using your actual password, but only once), you’ll have the option to log into other services like Outlook by using the app instead of your password. When you do this, the app will send you a notification on your phone, which you can approve by using the PIN or biometric you use to unlock your phone.
It’s a process not entirely unlike the two-factor authentication you should already be using. But instead of sending a code after you use your password, the app’s confirmation process replaces your password, which is both more convenient than typing in some garbled code and safer than receiving confirmation codes by text message.
Microsoft’s solution does require you to download and set up another app, but you can see the seeds of an even more streamlined approach. For example, look at Google’s two-factor prompts that make use of the Android operating system to let you tap a notification on your phone to verify your login with no previous setup. That system, for now at least, still requires you to type in your password.
Where Microsoft’s password-killing tech is confined to its ecosystem of products, Yubikey’s assault on the password promises a wider-ranging solution. The company’s new Yubikey 5 security keys make use of the open FIDO2 authentication standard, which supports “strong single factor,” also known as password-less login.
What does that mean in practice? Essentially, you can use Yubikey’s USB keys like a car key. Once you plug it in, it will replace your password for services that support the standard, which currently include Google Chrome, Firefox, and Microsoft Edge. The new line of keys include four flavours with varying USB styles and NFC capability for desktop and mobile devices.
Both of these anti-password moves come in the wake of Google’s new Titan security keys, which aim to increase the strength of the password though not to outright replace it—yet. Meanwhile, now that the Home Button has disappeared from all current iPhones, Apple is diving headfirst into its depth-sensing Face ID technology Similarly, face-scanning is a password-free strategy Microsoft has explored with its ‘Hello’ feature, which would provide the same functionality on computers using nothing more than a standard webcam.
As the password alternatives continue to roll out and gain steam, the question that remains is: Which alternative will gain enough momentum to become the new de facto standard? Solutions that are tied to a given gadget or software ecosystem, like Microsoft’s new authenticator system or Apple’s Face ID, are all but destined to remain confined to a single suite of services and gadgets. An open standard approach like Yubikey’s carries the promise of a potentially universal solution, but with the need to buy a physical object, the barrier to entry is also higher.
However the path unfolds, one thing is endlessly clear: that passwords are annoying, obsolete, and insecure. Hopefully they’re finally, finally, about to be replaced for good.
Originally posted on Popular Mechanics