In an effort to rid the world of the dreaded password dilemma, the World Wide Web Consortium (W3C) has this week approved the new Web Authentication API standard (called WebAuthn) which will allow users to login to websites without the need of a password.
WebAuthn will enable strong authentication for web applications,through the use of public-key crypto-based credentials, which will effectively removethe need for passwords.
This new API is already supported in common operating systemsand browsers such as Windows 10, Android, MS Edge, Firefox and Chrome.
Passwords have long been thought of as the vulnerable elementin user authentication and account security, with over 80% of today’s data breachesbeing caused by weak or bad password practices.
The new API relies on 3 core components: a participating Website, a supported Web Browser and an Authenticator. The Authenticator will be in the form of a Fast IDentity Online 2 (FIDO2) complaint device i.e. a smartphone, bio-metric device or USB crypto key, such as the YubiKey.
This not only increases security by providing unique logincredentials for each and every site, but also eliminates user tracking, which increasesprivacy.
At a high level it works by the website informing the webbrowser of its intention to authenticate; the web browser communicates with theauthenticator, which verifies the user via a PIN code or bio-metric reader (fingerprintor camera facial recognition); the authentication response is then passed back to the browser and the website, to grant theuser access.
In the press release Jeff Jaffe CEO of W3C stated:
“Now is the time for web services and businesses to adopt WebAuthn to move beyond vulnerable passwords and help web users improve the security of their online experiences. W3C's Recommendation establishes web-wide interoperability guidance, setting consistent expectations for web users and the sites they visit. W3C is working to implement this best practice on its own site.”
The likes of Microsoft and Dropbox have already started tointegrate WebAuthn into their products, so its over to other vendors and websitesto follow suit and integrate the new standard.
This doesn’t quite hail the death of the password, but it does moves us in the right direction and closer to a life that involves ‘No More Passwords’.
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
