Web browsers are building a new way for you to log in, announced today by the W3C and FIDO Alliance standards bodies. Called WebAuthn, the new open standard is currently supported in the latest version of Firefox, and will be supported in upcoming versions of Chrome and Edge slated for release in the next few months.
WebAuthn has been working its way toward W3C approval for nearly two years, but today marks the first major announcement of browser support. Apple has not commented on Safari support for WebAuthn, although the company is part of the working group that developed the standard.
Today’s announcement the latest step in a years-long effort to move users away from passwords and toward more secure login methods like biometrics and USB tokens. The system is already in place on major services like Google and Facebook, where you can log in using a Yubikey token built to the FIDO standard.
“a world where it’s impossible to phish users”
WebAuthn will make that feature easier for smaller services to implement, whether using those devices as a second factor or replacing the password entirely. As more open-source code is built for the new standards, it will get easier for developers to implement those logins, potentially leading to a lot more password-free logins across the web.
“Previously, the work to support tokens was happening amongst big companies like Google, Microsoft and Facebook, which would implement their own drivers,” says Selena Deckelmann, who worked on Firefox’s implementation. “With WebAuthn, you’ll be able to use commonly available libraries.”
Because the FIDO standard is built on a zero-knowledge proof, there’s no single string of characters that guarantees access to an account, which makes it much harder to pull a conventional phishing attack. Those logins are still rare, even on services where they’re available, but they provide an important way for security-conscious users and businesses to protect themselves. And as more services move to support the stronger logins, the population of FIDO-ready users will only grow.
“What this really enables is switching from using passwords to using a device, and getting to a world where it’s impossible to phish users,” Deckelmann says. “Now we’re not there yet. It’s our glorious future. But that’s the path we all want to be on.”