How will Google’s passwordless FIDO security work?
Your phone will be your password
To keep your accounts safe you absolutely should be using a good password, a good password manager, and two-factor authentication. None of us wants to see our online accounts hacked.
But even with those three things in place, hacks still happen. Managing your own security just isn’t intuitive for everyone, and even people who know all the right things and do them can still get hacked. Google — as well as Apple and Microsoft — is teaming with the FIDO Alliance to make it even harder for someone to get into your accounts without your permission.
This will work using two critical elements: Special hardware already inside most of the best Android phones — Google calls this the Titan module — and cryptography software that meets all the specifications to make it a FIDO credential.
When you set up your phone, a unique identifier will be created and stored in your phone’s secure enclave. This identifier will be used with the FIDO standards to create a set of credentials that can be passed along to any device that’s in communication with your phone, or any software that’s running on that device.
No personal identifiers are supplied, and while every set of credentials is unique, everything is encrypted and so far has been proven secure. A backup of the credentials will be securely stored in the cloud so you can set up another device using them. You won’t lose access if you lose your phone.
In plain English, this means that your phone will store a FIDO passkey. When you want to unlock any online account you just unlock your phone, and this passkey proves that you are really you. The key is only supplied when asked for, and you’ll only need to unlock your phone the first time — after that, the experience is seamless as long as your phone is nearby.
The most difficult part of the equation is getting all of your devices to “talk” to each other the right way, at the right time. Google plans to start things using Android devices and Chrome OS or the Chrome browser, but with Apple and Microsoft also on board, this should eventually work with your Mac or Windows computer and an iPhone, or any mix of them all.
A project like this seems ambitious, and for many a little sketchy: Who wants one company to control access to accounts at another company? However, most experts agree that this is not only a more secure system, but its ease of use means it’s also more accessible. We’ll know more once Google starts rolling things out later in 2021.