Security news that informs and inspires

Microsoft Adds Support for WebAuthn in Edge


Passwords have been on the endangered authentication methods list for some time now, and Microsoft is working to move up the extinction horizon.

In the latest build of Windows 10, Microsoft has added support in its Edge browser for the WebAuthn specification, meaning that users will be able to login to sites that support the specification using biometrics or a hardware security key. The feature has been in unstable versions of Edge for a while now, but this is the first stable, public version of the browser to offer users WebAuthn authentication options.

In Edge, users can employ either the Windows Hello biometric authentication method, which uses either facial recognition or a fingerprint, or an external hardware security key, such as a Yubikey, to login to sites supporting WebAuthn. The change not only eliminates passwords from the flow, it also provides a much stronger level of authentication.

“Users can also use external FIDO2 security keys to authenticate with a removable device and your biometrics or PIN. For websites that are not ready to move to a completely passwordless model, backwards compatibility with FIDO U2F devices can provide a strong second factor in addition to a password,” Angelo Liao, a program manager for Edge, and Ibrahim Damlaj, a program manager for Windows security, wrote in a post announcing the change.

"I like that they framed it as a payment solution rather than a password solution, because it can handle both."

“We’re working with industry partners on lighting up the first passwordless experiences around the web.”

The Web Authn specification is currently a Candidate Recommendation specification in the W3C standards process, a couple of steps short of becoming a full-fledged web standard. At that point, it’s then up to site owners and technology providers to support the standard. Microsoft isn’t alone in working to integrate support into its products. Google, Mozilla, and many other companies also are on the road to support Web Authn in their browsers and other products. Chrome has had support for the specification since Chrome 67 and Mozilla added it to Firefox in version 60, released in May. At the RSA Conference in April, both Google and Microsoft demonstrated implementations of Web Authn on their platforms.

The specification has applications outside of simple authentication, too, including support for payments through services such as PayPal.

“They’ve had Edge WebAuthn working for a little while now in the unstable Windows Insider build, so I’ve gotten a chance to see the flow of how it works and I really like it. And I like that they framed it as a payment solution rather than a password solution, because it can handle both but I think it’s a frame for the new tech,” said Nick Steele, a research and development engineer at Duo Security, who helped develop a demo implementation of WebAuthn.