Google, Apple and W3C Work to Eliminate Passwords

It’s been a dizzying week in the world of digital identity and consumer authentication.

original-gigya-blog-eliminatepasswordsFirst, on the heels of Gigya’s recent survey about the death of the password, Google announced to attendees of its annual I/O conference that it intends to do away with password authentication entirely for Android users by the end of 2016. To do this, the tech giant will use a feature called the Trust API, first developed under the codename Project Abacus by Google’s Advanced Technology and Projects (ATAP) group.

The Trust API enables a risk-based, continuous approach to authentication by combining physical biometric attributes with “behavioral biometrics” to deliver a “Trust Score” to indicate how likely it is that someone is who they say they are. This API-based authentication promises greater security for apps and content, rather than just OS access, since it could conceivably shut down apps on a mobile device even once someone besides the device’s owner has gained access to it. In essence, the device “recognizes” its user both by their physical characteristics and by the way they behave.

Then, as Apple continues its trend toward unifying the Mac OS and iOS experience, the company is apparently considering adding a Touch ID sensor to the next MacBook Pro. This would eliminate password authentication for user access and open the machine up to features like Apple Pay for online purchases.

Besides being bold strategic moves, these announcements are also in line with the Web standards community. Recently, the World Wide Web Consortium (W3C) launched a new effort aimed at defining a new standard for Web authentication that uses cryptography in place of password exchange processes.

“When strong authentication is easy to deploy, we make the Web safer for daily use, personal and commercial. With the scope and frequency of attacks increasing, it is imperative … to develop new standards and best practices for increased security on the Web.” – Sir Tim Berners-Lee, Web Inventor and W3C Director

For obvious reasons, the financial industry has led early adoption for biometric and other types of passwordless authentication. With this week’s revelations, however, it’s becoming clear that we’re entering a new phase of our collective online lives where we’ll see these innovations making their way into virtually every sector.

As time goes by, the internet will continue to merge with the real world (and vice-versa), so brands must push to remove barriers to entry for consumers while enabling safer and more flexible methods to shore up security and privacy. We think that by moving away from tradition and toward innovation when considering how to authenticate users, every business has a massive opportunity to grow revenue while building trust.

By David Kerin