There is little doubt that passwords are a horrible anachronism from an era of green screens and mechanical keyboards, but yet they keep on holding despite the fact that as users are forced to use them in dozens, if not hundreds, or places, they’ve become more of a security risk than a solution.
The problem, of course, is that unless you’re an extremely vigilant (or paranoid) person with a really good memory, the sheer number of places you need to use a password will inevitably encourage you to simply start using simple passwords, and then reusing those simple passwords all over the place.
According to The FIDO Alliance, the average person has more than 90 online accounts and up to 51 percent of the passwords out there are reused across multiple sites. In addition to passwords being the root cause of over 80% of data breaches, they actually cost companies tangible money that could be spent elsewhere; FIDO estimates the average help desk cost of a single password reset as being $70, and as an IT project manager in my former life, I can personally vouch for that — I once worked with a large government agency that had 40 full-time help-desk employees who spent the majority of their time each day resetting passwords — at an estimated cost to the organization of $750,000 per year.
The primary mission of the FIDO Alliance (which stands for Fast IDentity Online) is to solve the world’s password problem by developing alternative authentication methods. While most of the results of this work so far have been focused on two-factor authentication, such as the U2F standard used by the popular YubiKey hardware tokens, its ultimate goal is to pioneer authentication methods that would eliminate the need for passwords entirely.
“Something You Have”
Two-factor authentication relies on “something you know” — a password — and “something you have” — a hardware device that connects to your computer or more often simply a code that can be displayed on your iPhone, either via SMS or a mobile “authentication” app.
Ultimately, however, with the security and ubiquity of modern mobile devices, the need for service-specific passwords is becoming less important. Your iPhone or Apple Watch is obviously something you have, and it also already has a password (something you know); not only are these devices usually in your possession, but any credentials and keys stored on them can easily be invalidated if the device is lost or stolen.
Based on that idea, one of FIDO’s founding members, Nok Nok Labs, has taken the next logical step and developed an solution that can replace traditional passwords with your Apple Watch across a wide variety of apps and services. The Apple Watch is in fact the best solution this problem, since it’s not only a device you always have with you, but also one that you’re much less likely to misplace, lose, or have stolen.
The Nok Nok App SDK for Smart Watch adds FIDO-based authentication for wearable devices like the Apple Watch, letting app and website developers make some relatively simple back-end changes to their code that would allow an Apple Watch to be used in place of a password whether in an iOS app, or on the internet at large. While the SDK is intended to eventually come to all smart watches, Nok Nok has only rolled it out for watchOS at this point.
For now, the feature will only work with services that use Nok Nok’s own authentication solution, but it’s still a big step toward ending our reliance on passwords.
Apple Has Already Shown the Way
While Nok Nok’s solution has the potential to change the way passwords are used on a much wider scale, the fact is that Apple itself has already demonstrated how the Apple Watch can be a primary authentication factor for many of Apple’s own services.
From the very first Apple Watch released in 2015, Apple has supported “Wrist Detection” as a very straightforward means to authenticate that an Apple Watch is still being worn by its proper owner. Since the Apple Watch knows when it’s in contact with your wrist, and when it’s not, it’s safe to to assume that once you’ve put your Apple Watch on and unlocked it, there’s no need to prompt for authentication again as long as it remains on your wrist.
This originally enabled features like Apple Pay to work seamlessly on the wearable without requiring a separate authentication step like the iPhone does, and Apple later expanded this idea to let users automatically unlock their Macs with macOS Sierra — a feature that still feels to use like a big step into the future.
With this year’s release of watchOS 6 and macOS Catalina, Apple has now taken this to its next logical evolution, allowing your Apple Watch to be used to authenticate all of the usual requests your Mac makes for the Administrator password when installing apps or adjusting secure settings. For example, when you take a trip into System Preferences on your Mac and want to change something that would normally require you to type in your password, you can now simply double-click the side button on your Apple Watch to approve the request.
Following in Apple’s footsteps, other companies have also already begun to do the same. Last year, Microsoft’s Authenticator began allowing users to authenticate their login requests to Microsoft’s various online services simply by tapping on a notification from an Apple Watch app — without the need to enter a password.
These solutions show how magical it is to be able to sign in without having to hassle with a cumbersome password, and we have little doubt that this is the way forward, however so far all of the solutions have been developed for specific companies like Apple and Microsoft. Nok Nok’s more open SDK promises to make these capabilities available to any app or website that wants to implement passwordless authentication using an Apple Watch, which promises to be a much bigger win for end users who are tired of having to remember and type in passwords at every turn.