The War on Passwords Is One Step Closer to Being Over
The password-killing tech known as “passkeys” have proliferated over the past two years, developed by the tech industry association known as the FIDO Alliance as an easier and more secure authentication alternative. And although superseding any technology as entrenched as passwords is difficult, new features and resources launching this week are pushing passkeys toward a tipping point.
At the FIDO Alliance’s Authenticate Conference in Carlsbad, California, on Monday, researchers are announcing two projects that will make passkeys easier for organizations to offer—and easier for everyone to use. One is a new technical specification called Credential Exchange Protocol (CXP) that will make passkeys portable between digital ecosystems, a feature that users have increasingly demanded. The other is a website, called Passkey Central, where developers and system administrators can find resources like metrics and implementation guides that make it easier to add support for passkeys on existing digital platforms.
“To me, both announcements are part of the broader story of the industry working together to stop our dependence on passwords,” Andrew Shikiar, CEO of the FIDO Alliance, told WIRED ahead of Monday’s announcements. “And when it comes to CXP, we have all these companies who are fierce competitors willing to collaborate on credential exchange.”
CXP comprises a set of draft specifications developed by the FIDO Alliance’s “Credential Provider Special Interest Group.” Development of technical standards can often be a fraught bureaucratic process, but the creation of CXP seems to have been positive and collaborative. Researchers from the password managers 1Password, Bitwarden, Dashlane, NordPass, and Enpass all worked on CXP, as did those from the identity providers Okta as well as Apple, Google, Microsoft, Samsung, and SK Telecom.
The specifications are significant for a few reasons. CXP was created for passkeys and is meant to address a longstanding criticism that passkeys could contribute to user lock-in by making it prohibitively difficult for people to move between operating system vendors and types of devices. In many ways, though, this problem already exists with passwords. Export features that allow you to move all of your passwords from one manager to another are often dangerously exposed and essentially just dump a list of all of your passwords into a plaintext file.
It’s gotten much easier to sync passkeys across your devices through a single password manager, but CXP aims to standardize the technical process for securely transferring them between platforms so users are free—and safe—to roam the digital landscape. Importantly, while CXP was designed with passkeys in mind, it is really a specification that can be adapted to securely exchange other secrets as well, including passwords or other types of data.
“In the future, this could apply to mobile driver’s licenses, say, or passports—any secrets that you want to export somewhere and import into another system,” Christiaan Brand, identity and security group product manager at Google, tells WIRED. “We’ve got most of the rough edges sanded down with passkeys, but one of the main pieces of negative feedback over the past year has been around portability and potential vendor lock-in. I think with this, we are signaling to the world that passkeys are growing up.”
The goal of the resource repository Passkey Central is similarly to help the ecosystem expand and mature. Product leads or security professionals who want to implement passkeys for their user base may need to make a business case to executives to get budget for the project. The FIDO Alliance is basically aiming to help them with the pitch—providing data and communications materials—and then support their rollout with prefab materials like implementation and roll-out guides, user experience and design guidelines, documentation around accessibility, and troubleshooting.
“We’ve made amazing progress on passkeys,” FIDO’s Shikiar says. “Usability and user experience are pretty much there. But we do have a punch list and we’re actively working on it. Portability is an important feature on that list. And while the biggest brands on the planet are now using passkeys at scale, there’s a very long tail of companies that haven’t gotten started yet. So we want to offer resources and the assets they need to be successful.”
Craig Newmark Philanthropies’ Cyber Civil Defense coalition provides some funding to advance passkeys. In an interview with WIRED ahead of Monday’s announcements, Newmark said he believes that passkeys can make a real difference both for the digital security of individual people and for internet security overall.
“There are a lot of vulnerable systems out there,” Newmark says. “You need to make it a lot harder for bad actors to defeat password schemes. You need to make everything more secure, and passkeys is part of that.”