Apple Joins FIDO Alliance: Why this Matters for the Future of Passwords

Earlier this week, Apple joined the likes of Amazon, Facebook, and Google on the list of board members at the FIDO alliance. An acronym for “Fast IDentity Online”, FIDO is committed to eliminating the need for passwords, strongly endorsing the adoption of trusted devices via standards like WebAuthn as a password alternative.

But what could Apple’s FIDO endorsement mean for the future of authentication?

More passwordless ubiquity and innovation

Between its suite of devices, the Safari browser, and Apple apps, Apple manages a huge ecosystem of technologies. While our iPhones, iPads, and Macs already support biometric authentication in the form of TouchID and FaceID, Apple’s FIDO endorsement suggests that Apple Watches, the Safari Browser, and other applications will adopt similar technologies in the near future.

One effect this could have is that biometrics will become even more ubiquitous with consumer-facing apps and devices in the coming years. This may mean an increased expectation for passwordless authentication from consumers, and by extension, more innovation in the area of biometrics-based auth from not only Apple, but other organizations as well.

Heightened emphasis on security and privacy

Apple has strongly emphasized the importance of privacy as of late. Their “Sign in with Apple” (SiWA) functionality, for example, boosts privacy by restricting the personally identifiable information that users would otherwise need to submit to services they are authenticating into. Instead, apps receive a unique identifier that is distinct for each developer, eliminating cross-platform or cross-app tracking. As a result, developers and websites have no way of gathering a user’s information beyond the name the user provides. Even the user’s email address can be hidden.

By investing in the FIDO Alliance, Apple is doubling down on its commitment to privacy. FIDO cryptographic keys are unique for each internet site, meaning they can’t be used to track users across sites. In addition, when biometric data is used, it never leaves the user’s device.

This also bodes well for security. Because FIDO2 cryptographic login credentials are…

  1. Unique across every website
  2. Never leave the user’s device
  3. And are never stored on a server

...the risks of phishing, password theft, and replay attacks are eliminated.

In summary

Apple standing with the FIDO Alliance lends validation to how many of us are already feeling: That passwords suck. Thus we can expect privacy-first password alternatives to become increasingly ubiquitous amongst consumers in the coming years.

For more information around how FIDO and WebAuthn work together to provide a passwordless experience, check out our post, The Ultimate Guide to FIDO2 and WebAuthn Terminology.