Google, Microsoft, and Apple are important in this regard because they represent the greatest volume of single-sign capabilities for sites other than their own. So if you want a change away from passwords, without their support, it drags out for years, never reaching any tipping point to be effective. Note though that what is being adopted are open alliance standards, and not proprietary to Google, Apple, or Microsoft.
We do have 2FA (2-Factor Authentication) already, but it often falls back onto insecure e-mail or text messages. We're going to also have to finalise, or have options between biometrics vs device specific. Many don't want biometrics (or their hash) saved, not because it's invasive (it does not store your actual fingerprint), but because it cannot be changed (or does using a different finger count, although most of us still have a limit of 10?). Biometrics are the most convenient and usually not lost, but that also counts against them for the same reason. A device such as YubiKey, fob, phone, etc can easily be lost or left at home, and you lose access.
But yes, passwords do need to go, along with that useless advice of updating a password every 30 days.
See
Microsoft, Apple, Google step up push to eliminate passwords#
technology #
security #
passwords #
authentication Passphrases PIP'd, FIDO and W3C projects promoted