Abandoning passwords can make it harder for users to switch between different ecosystems. That is, if a user uses access keys on their Apple-made devices instead of passwords, they will not be able to transfer them to Android devices, and vice versa.
A world without passwords is the “blue dream” of the FIDO Alliance, whose mission is to develop and promote authentication standards that “will help reduce the excessive dependence of the world on passwords.”
Instead of users entering passwords to log in to websites or apps, FIDO suggests authorizing users using their own devices (for example, an iPhone can authorize a user using a Face ID).
The first example of the FIDO standard working on Apple devices was presented in 2019. Later, the company officially confirmed that it intends to implement its support.
The standard is supported by such tech giants as Amazon, Arm, Facebook, Google, Intel, Microsoft and Samsung. The board of directors of the FIDO Alliance also includes American Express, ING, Mastercard, PayPal, Visa and Wells Fargo.
However, as Fast Company magazine noted, in its current form, the standard in no way provides for the possibility of switching between ecosystems. Access keys are stored locally on devices, so if a user wants to replace his iPhone with an Android device or vice versa, he will have serious problems with authorization. FIDO simply does not provide for the possibility of transferring all user access keys from one ecosystem to another.
In turn, passwords are very easy to transfer. Popular browsers can import passwords from other browsers in just a few clicks, and most password managers can upload user credentials to a .csv spreadsheet, so users can manually upload them to alternative services.
Theoretically, the problem with transferring access keys is quite easy to solve – you just need to allow the export and import of access keys. However, given that the FIDO standard is positioned as a more secure alternative to passwords, it is unlikely that the alliance will allow this to be done. So, if users can move their access keys between providers, then hackers will easily take advantage of this. It is currently difficult to say when and how FIDO Alliance intends to solve this problem.