WebAuthn is the new hotness – RIP Passwords

The other day the W3C announced a new standard for logging in called WebAuthn. It’s already supported by Firefox and will be supported by Chrome and Microsoft’s Edge directly. It’s likely Apple will follow suit with Safari as they are a member of the working group that ( along with the W3C and FIDO ) came up with WebAuthn.
WebAuthn is WhatsUp
WEbAuthn is an attempt to “bring simpler yet stronger web authentication to users around the world.” What that means, in practical terms, is that when fully implemented WebAuthn will allow users to login in to websites with biometrics and USB tokens instead of passwords. WEbAuthn works on a system called “Zero-knowledge proof”. Zero-Knowledge proof is a method by which one party (the prover Peggy) can prove to another party (the verifier Victor) that she knows a value x, without conveying any information apart from the fact that she knows the value x. This means the authentication is not based on a single simple string.
It will also allow us to forget all about complex password schemes for dozens of websites we log in to. Just pop in the USB drive that you have authenticated previously, and you are logged in. This helps alleviate not only phishing but Man in the Middle attacks,stolen credentials, or replay attacks. For the more security conscious bio-metric based logins eliminate the problem of your usb drive being lost or stolen.
Sam Srinivas, Product Management Director, Google Cloud Security says:
“Google Chrome is dedicated to building a better web, and allowing developers to interact with secure keystores in a structured way helps us continue this mission. As a founding member of the U2F and FIDO2 working groups within FIDO, we’re excited for the launch of these standards and look forward to our continued collaboration.”
Dave Bossio, Group Program Manager, Operating System Security, Microsoft says:
“Providing a password alternative that works across devices, apps, browsers, and websites delivers on our commitment to a future without passwords. We are excited to announce that we will add support for WebAuthn API, currently in the approval process stage, and W3C, in Microsoft Edge thanks to our work with the FIDO Alliance.
Why Password Authentication Sucks
Password authentication to validate users is better than nothing – but far from ideal. All you have to do is read about how Equifax exposed millions of passwords to see just how insecure the whole scheme is. If your business, customer, or personal financial data is secured by password only I highly recommend investigating Two-Factor Authentication ( 2FA ). Sites from Google, to TurboTax, to OkCupid support 2FA right now.
For sites that you do still have to use simple passwords to login to please, for goodness sake, don’t use the same password for every site. If your password is compromised once, hackers can potentially use it to get into other accounts. Additionally if you do not use a secure password you can assume it is just a matter of time before you are compromised. You can find out if you have been compromised here.
Is WebAuthn the Future?
Only time will tell whether or not WebAuthn is the answer to the problem of creating and remembering multiple usernames and passwords and the security issues associated with them. Right now it looks like the most promising option for a security standard with simpler, stronger authentication. I’ll be testing it out as soon as possible, watch this space for a follow up within a couple of weeks.
I do NOT WANT TO TAKE A FINGERPRINT to log on to FACEBOOK!
You mad bro? Bio-metrics will not be mandatory with WebAuthn, only one of multiple options.
If would be so nice to not have to (try!) and remember all my logins and passwords… I have a password manager (LastPass) but it is not a foolproof solution.
That’s the idea for sure. The added security is more important in my world, but I could not agree with you more.
A revised standard for information security has been issued
Read more: http://www.digitaljournal.com/tech-and-science/technology/new-international-standard-for-information-security/article/520389#ixzz5DQynBq3r
Big tech companies have been using this sort of sign in for quite some time. It’s good to see it coming to the masses in the U.S.
The big HOWEVER is that this should only ever be ONE option for signing in. I am not for the Eastern European model where you HAVE to login with your government issued smart card.
Hey… Got it – Memory Override, that is a very good point… If you can only login with your government issued smart card I would be totally against it. Food for thought.
Right, it doesn’t really matter if you can’t comment on facebook with out your government id card, but if you can’t log into your bank account with out it?