Skip to main content

New authentication standard may let you ditch passwords across the web

When it comes to security for online accounts, the weakest link usually comes down to your password. However, the FIDO Alliance and the World Wide Web Consortium (W3C), both organizations that are behind the proliferation of open standards, are ready to make using passwords online a thing of the past.

In a joint announcement today (via The Verge), W3C and the FIDO Alliance announced a new web authentication standard, called WebAuthn, that will let people use biometrics and USB tokens, like YubiKey, with web logins.

While some online services already support logins with these methods, WebAuthn will give browsers and services a common open standard to build off of. This could allow sites to leverage things like fingerprint readers and cameras in place of, or in addition to, your password to log in.

"With Web Authentication, we're giving people using Firefox the opportunity to add another layer of security to their browsing experience," said Selena Deckelmann, who is Senior Director of Engineering for Firefox Runtime at Mozilla. "Giving people greater control over how they manage their security online and making the internet safer is central to Mozilla's mission to keep the web open and accessible to all."

In terms of implementation, WebAuthn is already supported in the latest version of Firefox. Google and Microsoft are also working to implement the standard in Chrome and Edge.

As with anything, there's no guarantee that WebAuthn will be foolproof. However, in a time where it feels like you can't go a week without hearing about a data breach, taking a step toward replacing passwords with something potentially more secure is welcome.

Dan Thorp-Lancaster is the Editor in Chief for Windows Central. He began working with Windows Central as a news writer in 2014 and is obsessed with tech of all sorts. You can follow Dan on Twitter @DthorpL and Instagram @heyitsdtl. Got a hot tip? Send it to daniel.thorp-lancaster@futurenet.com.

17 Comments
  • Does this operate through Windows Hello or will it be sending a copy of my biometric data to these web companies? If the latter, no thanks. That'd be worse than signing in with Facebook. Hoping this is Windows Hello compatible? If so I'm looking forward to it as waiting for Enpass to finally use Windows Hello in its Edge plug-in is a long (looooong) process. I've almost given up on them.
  • Downvoted? Is someone here still a Facebook fan then? Wonders will never cease it seems...
  • I don't know if it will go trough Windows Hello, but I think it definitely shouldn't send the bio data to the website. I'm guessing it will be processed localy and it then sends some token or some hashed data or whatever to the website to confirm that it's actually you.
    All in all tbh I don't know if I'm eager to use it. I kinda was before, but now I don't really wanna use any biometrics. I type in my password in just above a second anyways. And as for the security, it won't really save you THAT much.
    I support this however, this is the future, no doubt.
  • It will save a lot if it means I can have complex passwords for web sites without all the fuss. If the data is to be held locally and Hello is not used then we'll need to install some other package to do it. Seems a bit pointless when Hello is there, so I expect Edge will do this through Hello if it is to be locally managed. Wish there was confirmation though. It's a main reason why I don't want Last Pass or the like, as such often keeps all your passwords stored with them off site. Enpass is much better being entirely local, but as stated they are dragging their heals so bad over Hello compatibility (how long's it been out for now...?) that I'm hunting for an alternative. This could be it, with a little more info.
  • In my head it makes sense that it will actually fallback to the OS, which will manage the biometrics, so each environment has to provide it's own solution that should follow the general standard. I doubt each program will implement it's own system. So on the Apple side it will probably be the whole FaceID/TouchID thingy, and on Windows it'll either be Hello, or they could make a new system that will handle it, which will be more robust and follow the standard more closely. While that doesn't make that much sense since Hello is already here, it's not out of the question. Hello kinda seems a bit proprietary to me, though I may very well be wrong. We'll just have to wait and see.
  • Arstechnica has an article about this that goes more into detail about it.
    "With WebAuthn-enabled browsers and sites, users can sign in using both integrated biometric hardware (such as the fingerprint and facial-recognition systems that are widely deployed) and external authentication systems such as the popular YubiKey USB hardware. With WebAuthn, no user credentials ever leave the browser and no passwords are used, providing strong protection against phishing, man-in-the-middle attacks, and replay attacks."
    https://arstechnica.com/gadgets/2018/04/practical-passwordless-authentic...
    Reading comments is also educational
  • My job requires use of a Common Access Card (CAC). It's annoying as hell. Any access method that requires any additional device is a fail, as far as I'm concerned. Sure, it's more secure, but if I could STOP using a CAC right now, I'd do it. If someone creates a great biometric entry mechanism that is universal, not requiring you to carry some additional key or reader or whatever, then I'm on board. Otherwise, I want nothing to do with it.
  • Since this system is biometric compatible that shouldn't be a problem, as long as it does so by keying in through Windows Hello. If it is simply an API to allow the web sites to directly check your biometrics though, it would be a concern.
  • Yeah. Screw being safer by Having to carry something extra around....what a stupid thing to say.
  • Nope, it is an issue using a pass card because if you don't have it you can't log on. Also, these things can be lost and so can swiftly turn from a safety device into a security risk. A finger, face or iris is far harder to leave on the bus.
  • Someone's never dealt with the various Mafia... That stuff gets left behind all the time.
  • How many times over the years have we been told something like this? In fact i am pretty sure that almost every year there is something in the news about some system that will do away with passwords and yet here we are 2018 still using passwords. I believe it when I see it.
  • You make a good point. We've had Hello for a long time now, and it actually has a web login feature. You may not have noticed this because save for the one demo page MS set up I've never seen a web site use it... including all the MS sites. For some reason web devs just don't want to have anything but their own custom login system. The only way around this is something like Enpass, if they ever get around to adding the promised Hello functionality. I might have turned up my toes by the time that happens though.
  • Microsoft should have made this, they were planning to when unveiling Hello. Another missed chance.
  • They *did* do this. They can't force adoption though. This has a greater chance of success as its multi-platform. Websites rarely want to only be usable on one browser, let alone a single OS.
  • This is what stopped lastpass from supporting FIDO Chrome was the only major browser that supported it. It works with my Yubikey, but a generic FIDO key is about 1/4 of the price and does that particular job just as well (FB, Gmail and Github use it. If anything it's mildly faster than the code exchange done by yubikey and doesn't require any central server)
  • Authentication is primarily concerned with 1) who are you, and 2) prove it. The "who" part is like a username. Then to prove it you provide a password. If your password is compromised, you change it. Biometric information is NOT the "prove it" part, it is the "who" part. You could use a fingerprint or retina scan or facial recognition to replace the username, but the "prove it" part must be able to be changed, such as a password or pin. Biometrics cannot normally be changed when compromised, once someone has your fingerprints or retina scan, game over. This is scary stuff and people are just eating it up like stupid little lemmings following each other off the cliff.