Last year at WWDC Apple detailed its long-term plans to get rid of passwords. It included a preview of a technology called Passkeys in iCloud Keychain in iOS 15 and macOS Monterey. The idea is that you can log in anywhere by authenticating on your device—you don’t have to set passwords at individual sites, and the authentication is cryptographically protected.
That system uses a method approved by the FIDO alliance and the World Wide Web Consortium (W3C). On Thursday, it took a step forward as Apple, Google, and Microsoft jointly announced plans to use this capability:
The expanded standards-based capabilities will give websites and apps the ability to offer an end-to-end passwordless option. Users will sign in through the same action that they take multiple times each day to unlock their devices, such as a simple verification of their fingerprint or face, or a device PIN. This new approach protects against phishing and sign-in will be radically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes sent over SMS.
It will take some time, but it looks like the era of generating unique passwords for every site and using a password manager (or writing them down) may be coming to an end. Good riddance.
—Linked by Jason Snell