Microsoft Edge gets Web Authentication specification support

Microsoft announced today support for the Web Authentication specification in its Edge browser, helping bolster security and making it easier to sign in without having to remember long, random passwords. From Microsoft:

Staying secure on the web is more important than ever. We trust web sites to process credit card numbers, save addresses and personal information, and even to handle sensitive records like medical information. All this data is protected by an ancient security model — the password. But passwords are difficult to remember, and are fundamentally insecure — often re-used, and vulnerable to phishing and cracking.

This new feature, which is available starting with Windows 10 Insider Preview build 17723 or higher, is centered around the hardware used with Windows Hello, like IR cameras and fingerprint readers, to log you into websites with hardly any hesitation.

In addition to being able to use your face or fingerprint to authenticate, you'll be able to use a PIN or external FIDO2 security key, and any websites unprepared for a passwordless future can take advantage of backward compatibility with FIDO U2F external devices.

Related: Windows Hello adding support for FIDO2 Security Keys

Those of you with build 17723 or higher can give this feature a try now, and anyone interested in using the Web Authentication API on their own websites can check out further documentation from Microsoft (opens in new tab) involving implementation.

Cale Hunt
Senior Editor, Laptop Reviews

Cale Hunt is formerly a Senior Editor at Windows Central. He focuses mainly on laptop reviews, news, and accessory coverage. He's been reviewing laptops and accessories full-time since 2016, with hundreds of reviews published for Windows Central. He is an avid PC gamer and multi-platform user, and spends most of his time either tinkering with or writing about tech.

  • Signing in have never been easier, convenient and safe. Way to go, MSFT.
  • This is a major thing. Looking forward to it when it comes to Production updates.
  • This is way overdue for Windows Hello to actually do something! My internet browser on my Samsung has been doing this for years
  • Which browser?
  • he probably means his Samsung washing machine
  • Right
  • I believe Samsung Internet on Galaxy (and probably other Samsung Android) phones does this. It's a bit more haphazard than this implementation i.e. if the password has been saved using Samsung Smart Pass, then it will authenticate using biometrics before autofilling the password for you. It still keeps the password though.
    This Edge implementation (which is standard and hopefully coming everywhere - I think Chrome and Safari already have it) is arguably much better because it takes the password out of the equation - and that's what's making it secure - because passwords can be cracked and phished and are often reused.
    Samsung's current implementation probably isn't any more secure than anything else because if you can sign-in to the phone, you can get through the browser. Still, it's something.
  • And this is why Edge should be updated separately from the OS
  • Second this!
  • Yup! The only problem is that changes such as this one are larger platform changes. You can't expect Windows Hello to seamlessly hook into Edge's new functionality. That's why they make Windows serviceable - so they can update that stuff easily as well. In a perfect world, we could push Edge updates entirely independently of the OS. Android sort of does this with Chrome and their WebView uses Chrome too (for apps) so it's a similar situation.
    The only thing is independent updates require Microsoft to maintain much more support and testing for all Edge configurations (i.e. Edge 19 on Windows 10 1703, Edge 17 on Windows 10 1709 etc.). It's probably a convenience thing for them because now they only have to test Edge with the corresponding Windows version - and trust me, when the whole SDK depends on it, it's so much harder than it sounds. Edit: What's a little easier is separating Edge and EdgeHTML (at least it sounds so to me). They should be able to update just the "box" of the browser which includes changes like PDF tools etc. that were added in a recent build. That should be independent of Windows version.
  • This will be huge for banking PWAs running on a certain pocketable Windows device.
  • Yes! We're actually getting close to web apps that actually function just as well as mobile apps. If only they make browsers fast enough now and websites start making use of all this functionality i.e. caching offline data, service workers, etc.
  • sweet, good job
  • "Any websites unprepared for a passwordless future can take advantage of backward compatibility with FIDO U2F external devices."
    I read the article that was linked to in that sentence, and still do not understand this sentence. Would someone mind explaining it to me?
  • This is a form of 2 factor authentication supported by Google / Yubico. With an authenticator app on your phone or a Yubico "Yubikey" usb stick, can you use a phone challenge or touch the Yubikey instead of typing a password.
  • What about using my Lumia950 Hello IR-camera to unlock my bankaccount in Edge on my laptop! It is already connected with each other by Bluetooth and my laptop will blocked when the connection is gone for about a minute. I've to unlock my laptop only when I'm starting up with my Lumia950 Hello IR-camera !
  • Just wondering... With 1809 now released, is the feature active and where might one be able to activate and test it?