Passwordless Authentication, coming to a modern, web-capable electronic device near you

So a thing I learned about the other day is the FIDO alliance.

Despite what you might think, it’s not a dog welfare organisation (though that would be a good name for one). It’s actually a set of standards and protocols for passwordless authentication using public key authentication.

The fantastic thing about passwordless authentication like this is that it’s both more convenient and more secure than a regular password, because you don’t reuse passwords, AND your secret key will never be transmitted over the internet.

And the best thing? Apple, Google, and Microsoft have all committed to “Expanded Support for FIDO Standard to Accelerate Availability of Passwordless Sign-Ins”

Web passwords are to become a thing of the past, and I can’t wait!


Definitely looking forward to passwordless becoming more widespread - MS login has been doing it for a while in certain cases, it’s much more convenient than a password manager, which is less secure anyway.

They keep bugging me to use Microsoft Authenticator, but I don’t like how proprietary it is. And plus, all of these apps at the moment depend on your phone, if I can’t have something on my Mac it’s not a technology I want to use.

Ah, for me it just sends a one time code to my email that I put in - I use the Google authenticator for most things but in theory an open source authenticator is possible, because they all use a similar standard

My main concern in this type of stuff is that if you lose your phone you’re :crab:

That’s why I always keep backup codes and have email 2FA on too :wink:

I’m pretty sure email authentication in itself is less secure than a password authentication because emails aren’t encrypted.

And yes, an open-source authenticator will be possible…but only once everyone switches to the FIDO standard. There are already OSS clients for TOTP, for example.

I think the code is only usable in the window you requested it from - but of course someone could always request it for you if they’ve compromised your email.

It baffles me that something so important is still so insecure lol

The problem is that old web infrastructure was never designed with security in mind, because when will anyone ever use the internet for anything important?

But now, people do, simply because they’re ubiquitous, and getting people to adopt new technology is really, really hard.

I guess FIDO is a step towards fixing that which is cool - hopefully we will see more websites/companies joining in