Password, it’s crystal clear to most people that this authentication process is weak and frankly a meaningless form but yet most of us still use password despite the fact that it sometimes causes distress to them, is easily stolen, forgotten and mostly unsafe and ineffective. The good news is that two standards bodies, FIDO and W3C announced a better way, a new password free protocol for the web called WebAuthn.
WebAuthn has been working its way toward W3C approval for nearly two years, but yesterday marks the first major announcement of browser support. Apple has not commented on Safari support for WebAuthn, although the company is part of the working group that developed the standard.
Chrome, Firefox and Edge will soon support a new open standard known as WebAuthn. When implemented, it will allow users to use their mobile device to verify your identity. This could involve an app, a USB hardware key, or biometric data, and could either serve as an extra form of authentication or replace passwords completely. This type of authentication makes it really hard for hackers to pull off phishing attacks because there’s no consistent line of characters (like a conventional password) that provides access to your accounts.
The password free protocol is the latest step in a years-long effort to move users away from passwords and toward more secure login methods like biometrics and USB tokens. The system is already in place on major services like Google and Facebook, where you can log in using a Yubikey token built to the FIDO standard.
Selena Deckelmann, who worked on Firefox’s implementation explained:
“Previously, the work to support tokens was happening amongst big companies like Google, Microsoft and Facebook, which would implement into their own drivers,” also added that “With WebAuthn, you’ll be able to use commonly available libraries.”
Because the FIDO standard is built on a zero-knowledge proof, there’s no single string of characters that guarantees access to an account, which makes it much harder to pull a conventional phishing attack. Those logins are still rare, even on services where they’re available, but they provide an important way for security-conscious users and businesses to protect themselves. And as more services move to support the stronger logins, the population of FIDO-ready users will only grow.
The WebAuthn standard is supported by Firefox Beta (version 60.0) and is scheduled for general release in May. It will also appear in Chrome and Edge in the coming months.