The War on Passwords Is One Step Closer to Being Over

The password-killing tech known as “passkeys” have proliferated over the last two years, developed by the tech industry association known as the FIDO Alliance as an easier and more secure authentication alternative. And although superseding …

The War on Passwords Is One Step Closer to Being Over

The password-killing tech known as “passkeys” have proliferated over the last two years, developed by the tech industry association known as the FIDO Alliance as an easier and more secure authentication alternative. And although superseding any technology as entrenched as passwords is difficult, new features and resources launching this week are pushing passkeys toward a tipping point.

At the FIDO Alliance’s Authenticate conference in Carlsbad, California, on Monday, researchers are announcing two projects that will make passkeys easier for organizations to offer—and easier for everyone to use. One is a new technical specification called Credential Exchange Protocol (CXP) that will make passkeys portable between digital ecosystems, a feature that users have increasingly demanded. The other is a website, called Passkey Central, where developers and system administrators can find resources like metrics and implementation guides that make it easier to add support for passkeys on existing digital platforms.

“To me, both announcements are part of the broader story of the industry working together to stop our dependence on passwords,” Andrew Shikiar, CEO of the FIDO Alliance, told WIRED ahead of Monday’s announcements. “And when it comes to CXP, we have all these companies who are fierce competitors willing to collaborate on credential exchange.”

CXP comprises a set of draft specifications developed by the FIDO Alliance’s “Credential Provider Special Interest Group.” Development of technical standards can often be a fraught bureaucratic process, but the creation of CXP seems to have been positive and collaborative. Researchers from the password managers 1Password, Bitwarden, Dashlane, NordPass, and Enpass all worked on CXP, as did those from the identity providers Okta as well as Apple, Google, Microsoft, Samsung, and SK Telecom.

The specifications are significant for a few reasons. CXP was created for passkeys and is meant to address a longstanding criticism that passkeys could contribute to user lock-in by making it prohibitively difficult for people to move between operating system vendors and types of devices. In many ways, though, this problem already exists with passwords. Export features that allow you to move all of your passwords from one manager to another are often dangerously exposed and essentially just dump a list of all of your passwords into a plaintext file.

It’s gotten much easier to sync passkeys across your devices through a single password manager, but CXP aims to standardize the technical process for securely transferring them between platforms so users are free—and safe—to roam the digital landscape. Importantly, while CXP was designed with passkeys in mind, it is really a specification that can be adapted to securely exchange other secrets as well, including passwords or other types of data.

Leave a Comment