Apple, Microsoft and Google embrace FIDO

Apple, Microsoft and Google embrace FIDO: the big three want to change how you log into your devices and services.

What is FIDO?

FIDO stands for Fast IDentity Online. The FIDO Alliance was created in 2012 to develop authentication standards that reduce reliance on passwords.

People forget passwords, make overly simple passwords and reuse passwords and they have from the dawn of computing. Many organizations started using MFA or Multi-Factor Authentication to strengthen the login. An example of MFA is Quickbooks Online requesting not only your password but also a text message sent to your phone.

What the big three, Apple, Microsoft and Google, have embraced is a passkey system. The passkey or Multi-Device FIDO Credentials system works differently. For example, you want to log into your Office (aka Microsoft 365) account online. Instead of putting in your user name and password, the web site would push an authentication request to your smart phone. You would have to authenticate on your phone via a PIN or a biometric (your finger print, your face). The smartphone would send the authentication information via BlueTooth to your laptop/tablet/desktop. And then you can access the web site.

The picture below from the FIDO explanation page shows the details.


Is Bluetooth secure? Recently researchers discovered Bluetooth can be hacked with a little custom code and $100 worth of hardware. Yes, someone can unlock your Tesla and other Bluetooth dependent devices quite easily.

However in the case of FIDO, the BlueTooth is supposedly being used only to show you are in front of the device where you are trying to access services.

Most desktop don’t come with BlueTooth. You can add a BluTooth PCI card or USB attachment.

How does this affect business?

First, staff will have all to be trained on the new system.

Second, corporate account logins will be tied to a smartphone.  Will that phone belong to the company or the employee? How do you manage account resets or employee turnover if an account is tied to a persona smartphone?

Third, you will need only one authenticator software for all three services. Unlike MFA where you can need Google authenticator for G-Suite access and then Microsoft Authenticator for Office/Microsoft 365 services.

Three other concerns. It’s tied to a smart phone. Not everyone can afford nor want a smartphone. Also all the authentication keys are stored in the cloud meaning there will be one big security hack target.

A big concern is how the login information will be used. Twitter was just fined $150 million for using login information for advertising purposes.

Apple, Microsoft and Google embrace FIDO

There’s no timeline for the rollout of the Passkey system for the big three. Currently Apple has rolled out passkey support in iOS 15 and macOS Monterey but it’s not compatible with other systems. I’m guessing it will take about three years for the big three to agree and develop a system that will work on all three platforms. Once they do, most other software vendors (like Intuit) will jump on board.