Apple joins industry effort to eliminate passwords
In a somewhat unusual move for Apple, the company has joined the Fast IDentity Online (FIDO) Alliance, an authentication standards group dedicated to replacing passwords with another, faster and more secure method for logging into online services and apps.
Apple is among the last tech bigwigs to join FIDO, whose members now include Amazon, Facebook, Google, Intel, Microsoft, RSA, Samsung, Qualcomm and VMware. The group also boasts more than a dozen financial service firms such as American Express, ING, Mastercard, PayPal, Visa and Wells Fargo.
"Apple is not usually up front in joining new organizations and often waits to see if they gain enough traction before joining in. This is fairly atypical for them," said Jack Gold, president and principal analyst at J. Gold Associates. "Apple is often trying to present [its] own proposed industry standards for wide adoption, but is generally not an early adopter of true multi-vendor industry standards.
"FIDO now has enough momentum that I assume Apple is feeling the pressure to join in," he said. "Especially in a cloud-based world, FIDO is a key initiative to authentication that companies really can't ignore."
David Mahdi, senior director of research for security and privacy at Gartner, said Apple's move is noteworthy.
"It is a significant step in realizing a passwordless world," Mahdi said. "Apple joining is a significant step."
Formed in 2012, FIDO's purpose is to push two-factor authentication for services and apps because passcodes are innately insecure. Research backs the group's claim, as 81% of all security breaches from hackers can be traced to stolen or poor passwords, according to Verizon's Data Breach Investigations Report.
"If you are relying on username/email address and password, you are rolling the dice as far as password re-usage from other breaches or malware on your customers' devices are concerned," Verizon said in its report.
Along with W3C, FIDO wrote and is using the emerging Web Authentication API (better known as WebAuthn). The WebAuthn specification is already supported - to different degrees - by major browsers such as Google's Chrome, Mozilla's Firefox and Microsoft's Edge. Those browsers also support cloud credential creation using a U2F Token, which can use Bluetooth, NFC or USB to provide two-factor authentication to online services and apps.
In 2018, Apple announced it was adding "experimental" support for the WebAuthn protocol on Safari. In December, Apple added native support for FIDO-compliant security keys, such as those from Yubico and Feitian, which use the WebAuthn standard over near-field communication (NFC), USB, or Lightning in iOS 13.3.
"FIDO is like Bluetooth for authentication - meaning that we have a number of devices with features and functions that can be used to provide authentication," said Mahdi.
For example, Mahdi said, mobile devices or laptops may use fingerprint readers or facial recognition technology to enable log-in. Either technology could be leveraged for authentication, but without a common language, it was difficult to do and required proprietary drivers and software.
"As such, it was much more complex to reliably enable strong authentication," Mahdi said. "FIDO, like Bluetooth, allows application developers and security leaders that want to enable strong authentication (say, in a mobile app or a website) to cover a wide range of authentication methods that are available in devices with minimal code [and without having to worry about many proprietary drivers]."
Overall, FIDO's specification means digital services from banks, ecommerce sites and others can recognize users through their devices, rather than with usernames and passwords. For example, users could register for an online service, create a username, register their devices, and select a preferred authentication method (i.e. finger, or face, and/or PIN). No password would be needed, Mahdi said.
How FIDO's spec works
FIDO's specification works by enabling anyone using it to gain access to an app or online service with a private and public key pair.
When a user registers with an online service, such as PayPal, the authenticator device (a server) creates a unique private/public key pair. The private key is stored on the user's device, while the public key becomes associated with that device through the online service or app.
Authentication is performed by the client server sending an electronic challenge to the user's device. The client's private keys can be used only after they are unlocked locally on the device by the user. The local unlock is accomplished by a secure action such as a biometric reader (i.e., a fingerprint scan or facial recognition), entering a PIN, speaking into a microphone, or inserting a second-factor device.
U2F is an open-authentication standard that enables internet users to securely access with one security key instantly and with no drivers or client software needed, according to FIDO member and authentication vendor Yubico. FIDO2 is the latest generation of the U2F protocol.
Last April, Google joined the Alliance as part of its creation of new online identity management tools. Google added two-factor authentication through FIDO's specification for Android 7 and above devices.
Jamf, a provider of multi-factor enterprise authentication management software for the Mac platform, joined FIDO last month.
"As we were supporting a lot of these multi-factor devices and different identity providers, it got to be complicated pretty quickly," said Joel Rennich, director of Jamf Connect, an Apple Mac authentication and identity management product. "And we still had the problem that we needed to go back to having a password. On the Mac, there's no built-in way of supporting your user credentials without typing in a password. However, Apple does have a pretty robust smart card installation."
Rennich said Jamf is embracing the FIDO authentication protocol because it's "incredibly" secure and allows a lot of flexibility because of wide-ranging industry support. In particular, because of FIDO's use of highly-secure elliptical curve cryptography - the same used by Apple Secure Enclave - Jamf can now leverage the technology to create enterprise-class access to the iPhone, for example.
"So, we can use that hardware already in the device to work with the FIDO protocols with minimal amount of effort. ...That made the development really quick," Rennich said.
While it's not yet shipping, Jamf also created a virtual smart card that allows users to sign into Mac devices from the cloud using elliptic-curve cryptography pairing keys in the same way FIDO's specification does.
"We're not here to speak for Apple..., but certainly you can see they're doing a lot more work in this environment. I do think it's a solid base. It's a great standard," Rennich said. "We do hope Apple does more with it. But in the meantime, we expect to be able to bring log-in at the log-in window with a FIDO authenticator to the Mac."