Password-free logins have long been the stuff of dreams for security researchers and privacy advocates—not to mention regular people who fat-finger their account passwords into a browser every day. Industry efforts to end our reliance on the multi-character password have resulted in the proposal of numerous alternative login methods, including biometric verification and the use of behavioral data to prove an individual’s identity. But most of these attempts haven’t yet lead to the promised land: A web without passwords.
Now, a new standard for the web called WebAuthn is being lauded as a major step forward in secure authentication, and “probably the most effective anti-phishing measure for the web that’s out there,” according to Selena Deckelmann, senior director of engineering for Mozilla Firefox. It introduces a set of rules for the web that, if adopted by popular browsers and websites, would mean people could use a single device or a single fingerprint to log into, well, almost everything.
But like the password-free attempts before it, WebAuthn still faces hurdles before it becomes something that impacts the masses. Some security and identity experts seem reluctant to claim that our password-free future has finally arrived. And a lot of WebAuthn’s success comes down to whether hugely popular websites like Amazon or Facebook will adopt this new standard.
Who Are You?
The new WebAuthn standard is a joint effort between the World Wide Web Consortium (WC3) and the FIDO Alliance, which is made up of a variety of tech and finance companies and is chaired by online identity experts. (FIDO stands for “Fast Identity Online”.) WebAuthn builds on top of two pre-existing FIDO specifications—U2F and UAF—that some websites use to verify a user’s identity through what’s known as 2FA, or two-factor authentication. This login method, which requires a user to enter both a password and a secondary means of identity verification in order to access their account, is a more foolproof way of confirming somebody’s identity than only asking for a password.
All around the web, non-password authentication is usually offered as a secondary option for logging into a website. By enabling web browsers to handle these sign-ins natively, proponents of WebAuthn could push for them to become the web’s primary means of user authorization. Google, Mozilla, and Microsoft have all said they’re on board.
That’s a lot of jargon and a bit confusing. But, basically, it means that logging into browsers and online accounts could be both easier and more secure for consumers. You could log in by either using a physical dongle that plugs into your computer’s USB port, like the new, $20 Yubikey announced last week that supports the new FIDO protocol; or by using a biometric log-in like a fingerprint. There might be an initial sign-in or sign-up process that would involve entering a password. But after that, logging in would be, in theory, a one-step process. (Here’s a good primer on how to use a YubiKey.)
One example, says Dave Bossio, a group program manager for operating system security at Microsoft, would be using Windows Hello as an authenticator for your browser on your laptop. And since Windows Hello covers three forms of authentication–a pin, a fingerprint sensor, or a facial-recognition camera–it would give people different options. “The browser [support] will start lining up in the mid-to-second-half of 2018,” Bossio says, “so that’s when there will be one provisional step, once that party has enabled their backend to support FIDO2, and after that it will be one-step authenticating that account.”
A Touch of Security
In some ways, the new standard is similar to Apple’s “TouchID, but one step forward,” says Zhiwei Li, the founder and chief executive of a password protection startup called Pepperword. Li also gained notoriety for exposing vulnerabilities in the password-management app LastPass back in 2013.
“With TouchID, you use your fingerprint to log into a local device. With FIDO2, you can actually log into your desktop by using your fingerprint on your phone,” Li says. In other words, it would replicate the proprietary process that Apple has now for authenticating between devices, but on non-Apple products. “FIDO2 is essentially standardizing the way to do it, end-to-end,” Li says. (Apple is the one major browser maker that hasn’t voiced support for WebAuthn.)
What may be even more beneficial than simplifying sign-ons is the protection from phishing attacks: If there’s no password to enter, then that password can’t be stolen. “I think it’s a big deal for people who are a high target–celebrities, or high-net-worth people who actively have people who are trying to hack into their accounts,” says Sarah Squire, a senior technical architect at Ping Identity. Squire cites the celebrity nude-photo scandal of 2014 as an example of such an attack. “This makes it so whoever is logging into that account has to have a key, like a Yubikey, so people can’t easily be phished.”
There’s a certain amount of irony that this futuristic solution still involves a physical dongle, something I mentioned to Squire and others. Secure identity dongles, like the kind RSA makes, have been around for at least 15 years, so why is having people buy a Yubikey better? One answer is a practical one: you don’t have to enter in any kind of pin with this new Yubikey. You just plug it into your computer. The other answer is more complicated, which is that in some ways it’s not better; physical keys can still be lost or stolen, and you’re still carrying an extra device around with you.
But the bigger challenge WebAuthn faces, bigger than the hassle or cost associated with physical devices, is getting popular websites–like Amazon, Facebook, or any other site you visit daily–on board. That’s according to Samuel Weiler, a member of the WC3’s WebAuthn working group. “Password managers are great because they can be adopted unilaterally,” Weiler says. “For this technology [to work], the websites have to make changes to adapt to it.”
And Li says the integration process for a company like Amazon can be “complicated,” which is why there’s initial support from browser companies but not from e-commerce companies or social sites.
“Initially, we will not have this glorious passwordless future,” says Mozilla’s Deckelmann. “At first it will be worked in as a second factor, something that websites will need to write a little bit of code for.”
Still, if or when it’s widely adopted, WebAuthn has the potential to offer a “great user experience improvement,” Deckelmann says.
And Li, along with others, agrees that WebAuthn is moving the whole industry the right direction. “Passwords aren’t a problem because one user screws up. I think the whole ecosystem is broken,” Li says. “And it takes someone like FIDO to fix it.”
Want more news and reviews you can use? Sign up for the Gadget Lab newsletter.