What Do You Mean No More Passwords?

In an effort to rid the world of the dreaded password dilemma, the World Wide Web Consortium (W3C) has this week approved the new Web Authentication API standard (called WebAuthn) which will allow users to login to websites without the need of a password.

WebAuthn will enable strong authentication for web applications, through the use of public-key crypto-based credentials, which will effectively remove the need for passwords.

This new API is already supported in common operating systems and browsers such as Windows 10, Android, MS Edge, Firefox and Chrome.

Passwords have long been thought of as the vulnerable element in user authentication and account security, with over 80% of today’s data breaches being caused by weak or bad password practices.

The new API relies on 3 core components: a participating Website, a supported Web Browser and an Authenticator. The Authenticator will be in the form of a Fast IDentity Online 2 (FIDO2) complaint device i.e. a smartphone, bio-metric device or USB crypto key, such as the YubiKey.

This not only increases security by providing unique login credentials for each and every site, but also eliminates user tracking, which increases privacy.

At a high level it works by the website informing the web browser of its intention to authenticate; the web browser communicates with the authenticator, which verifies the user via a PIN code or bio-metric reader (fingerprint or camera facial recognition); the authentication response is then passed  back to the browser and the website, to grant the user access.

In the press release Jeff Jaffe CEO of W3C stated:

“Now is the time for web services and businesses to adopt WebAuthn to move beyond vulnerable passwords and help web users improve the security of their online experiences. W3C’s Recommendation establishes web-wide interoperability guidance, setting consistent expectations for web users and the sites they visit. W3C is working to implement this best practice on its own site.”

The likes of Microsoft and Dropbox have already started to integrate WebAuthn into their products, so its over to other vendors and websites to follow suit and integrate the new standard.

This doesn’t quite hail the death of the password, but it does moves us in the right direction and closer to a life that involves ‘No More Passwords’.

Ironshare – Security Simplified