Security news that informs and inspires

WebAuthn Offers a Glimpse Into a Potentially Password-Less Future

The dream of a password-less future may still be just that, a dream, but an emerging standard that soon will be supported by many of the major browsers is bringing it closer to becoming a reality.

Passwords have become major irritants both for users and for the security teams that have to support them. Remembering credentials for dozens of sites is difficult, so many people tend to reuse passwords on multiple sites, meaning that if a password is stolen or compromised in a data breach, many separate accounts could be jeopardized. There have been a number of different efforts to address this problem, from password managers to biometrics, but none has become the one overarching solution to the problem.

On Tuesday, a specification called WebAuthn took a major step toward perhaps filling that role. The specification, developed by the FIDO Alliance and submitted to the World Wide Web Consortium (W3C), is now a candidate recommendation, the final stage before it is approved as a standard by the W3C. The WebAuthn API is designed to allow for the “creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users.” In plain terms, the specification makes it easier for people to use multi-factor authentication across the web.

“Security on the web has long been a problem which has interfered with the many positive contributions the web makes to society. While there are many web security problems and we can’t fix them all, relying on passwords is one of the weakest links. With WebAuthn’s multi-factor solutions we are eliminating this weak link,” W3C CEO Jeff Jaffe said. “WebAuthn will change the way that people access the web.”

Google, Microsoft, and Mozilla all have plans to support WebAuthn in their browsers and engineers from all of those companies worked on the specification. Building support for WebAuthn into Chrome, Edge, and Firefox means that users will be able to use a single form of strong authentication, such as hardware key or authenticator app, with sites that support the specification.

"The thing we have to design around is allaying the fear of how it works.”

“With Web Authentication, we’re giving people using Firefox the opportunity to add another layer of security to their browsing experience. Giving people greater control over how they manage their security online and making the internet safer is central to Mozilla’s mission to keep the web open and accessible to all,” said Selena Deckelmann, senior director of engineering for the Firefox Runtime at Mozilla.

Google already has an implementation of WebAuthn in Chrome 65 and support for the specification likely will find its way into other products soon. But full approval from the W3C is still probably several months away. The extent of future adoption by site operators and users could rely in part on how well developers and security experts educate users about the benefits of WebAuthn.

“Short-term adoption will be critical because those developers will be the ones who will educate users and other developers. It’s about trying to get people comfortable with the idea and that in the event of a breach, just because you used your fingerprint to authenticate at some point doesn’t mean it’s all over the Internet now,” said Nick Steele, a research and development engineer at Duo Security, who developed a demo of the WebAuthn specification.

“As this gets implemented, there are big, smart companies with smart designers who can make this flow work. The thing we have to design around is allaying the fear of how it works.”