Apple Quietly Joins FIDO Alliance Body for Passwordless Authentication

(Image credit: Shutterstock)

Apple has been one of the tech companies that appeared more resistant to joining the FIDO Alliance, a several-years-old biometrics and authentication standards body. FIDO was founded by companies including Google, Yubico and Microsoft and was later joined by multiple chipmakers, financial institutions and other tech companies. 

Apple hasn’t actually announced that it joined the FIDO Alliance, but we can see Apple listed as one of the 40 or so "board level members" on FIDO’s website (other members are “sponsor level”).

Over the past few years, The FIDO Alliance has come up with a universal authentication framework for biometrics (UAF), as well as a standard for universal two-factor authentication (U2F). 

More recently the Alliance created the FIDO 2.0 specification, which will work in conjunction with World Wide Web Consortium’s (W3C’s) WebAuthn standard. The two allow users to authenticate to websites and services without needing a password. It uses private-public key encryption, which offers significantly better security than both passwords and biometric authentication.

It’s more secure than passwords because it doesn’t matter if the “public key” is stolen from a website (it’s supposed to be public anyway), as long as the private key is securely stored in device or hardware token you own. 

Private-public key encryption is also supposed to be more secure than fingerprint authentication, since you only have so many fingerprints and it'd be a larger security catastrophe if any of them somehow got compromised. Some companies, such as Apple, don’t actually store your fingerprint image on the device, but other companies and most governments do. This puts all of your fingerprint authentication at risk if those images are ever stolen.

What Does This Mean for new iOS and macOS Devices?

Even though biometric authentication existed for many years before Apple adopted it in its iPhones, Apple played a major role in making it virtually ubiquitous in mid-range and higher smartphones. 

The company also played some role in making face authentication the 'next step' in biometrics authentication, although it remains to be seen if that was the right move, as many users still prefer using a fingerprint to unlock their devices. Furthermore, face authentication has proven significantly more hackable than fingerprint authentication.

With Apple being a pioneer in biometric authentication, it can be understandable why it wasn’t in such a hurry to adopt another's standard, even if almost everyone else was. 

It’s not clear yet if Apple intends to implement all of FIDO Alliance’s specifications to replace its own standards, but chances are it will implement FIDO 2.0 for passwordless web login. 

It's also possible that Apple could adopt U2F for some services, but some companies, such as Google, believe U2F will no longer be necessary if FIDO 2.0 is implemented.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • jimmysmitty
    Just the other day I was thinking of security and passwords and the idea of just using some sort of authentication instead. Say you log into a site your phone or piece of authentication hardware requests verification and once it does it signs you in.

    Of course this means you are at the mercy of that piece of hardware be it a device or phone but to me it seems better than trying to remember a ton of passwords.