Google Chrome now lets you sign in to most services without a password

Illustration by Alex Castro / The Verge

Google just released Chrome 67 for desktop, as spotted by ZDNet. This version of Chrome will allow password-free sign-ins for most websites, meaning you can avoid hunting through a password manager for specific credentials.

Password-free sign-ins come from the Web Authentication standard, which was launched in March by the FIDO Alliance and the W3C. It lets you sign in to any virtually any online service through unique credentials that you don’t have to memorize, such as fingerprint readers, USB keys like YubiKeys, etc. The standard is also meant to make it less likely a bad actor can obtain your most commonly used passwords by making it easier to give each service different login credentials.

Mozilla’s Firefox was the first to get the standard, while plans for Chrome and Microsoft Edge to adopt the standard later were hinted at.

Chrome 67 is also increasing its use of site isolation, keeping each browser tab separate so that a site can’t easily access data from other open tabs, which is a fix it initially rolled out to address Spectre-style attacks. Chrome will also be more compatible with VR through the Generic Sensor API, which is a standard used among fitness trackers and VR headsets, and it should pave the way for more integrations between desktop and gadgets to come.


On the Converge podcast, Google’s Mark Risher tells us why everything we know about passwords is wrong.

Listen to it here or on Apple Podcasts, Google Play Music, or Spotify.

Comments

Good one.

"The standard is also meant to make it less likely a bad actor can obtain your most commonly used passwords".

Good. Tom Cruise is always trying to steal my shit.

Any idea on if it works with Windows Hello? It would make sense to use the authentication system built into Windows.

Yes, the same FIDO2 keys should work for WebAuthn and Windows Hello,

https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/

What I specifically asking was will I be able to sign into websites just using my face?

While this is definitely a win for those after ultimate convenience with entering credentials, I wouldn’t trade it for my Lastpass Premium membership.

This is a bit off-topic.. my LastPass premium expires soon, and I cannot find a reason to renew it. Are there any features it offers over LastPass Free that are worth paying for?

Premium comes with ‘premium support’ and a few other perks.
TBH, after 3 years as Premium LastPass customer, I let mine expire as well after the price doubled from $12/year to $24/year. I want to support them especially for how much I rely on their service, but they apparently have some price tier issues and do not know the meaning of incremental changes.

This doesn’t allow passwordless sign in for "most services". It currently grants it for 0 services, and that number will slowly increase over time. The site has to implement WebAuthn, and no one does yet.

Oh I read it. I’m responding to this:

Chrome 67 is also increasing its use of site isolation, keeping each browser tab separate so that a site can’t easily access data from other open tabs

Google blocking other web services from accessing and capitalising on data, yet through their dominant market share browser, allowing ONLY their web service to see it ALL.

You have to be a pretty rabid anti-googler in order to spin this as a bad thing.

Oh I read it. I’m responding to this:

Chrome 67 is also increasing its use of site isolation, keeping each browser tab separate so that a site can’t easily access data from other open tabs
Google blocking other web services from accessing and capitalising on data, yet through their dominant market share browser, allowing ONLY their web service to see it ALL.

I think you’ve totally misunderstood what site isolation does.

Site isolation creates a new instance for each browser tab. Say you have two sites open in seperate tabs; each tab now runs as its own sandboxed process. This means if, say, you have Facebook open in one tab, and a dubious, malware infested tab open in the other, the two sites aren’t sharing memory, and so the malware can’t fish any Facebook data out of the browser cache, because it’s running as a totally seperate process.

This is a good thing; it effectively places a firewall between each running Chrome process, reducing the likelihood of malware ridden sites, dodgy extensions etc. from becoming a security liability.

This change has nothing to do with how Google or anyone elses web services work; it’s a background change to how Chrome runs locally on your machine. Web services will still be able to access the data you’ve given them access to; Facebook will still collect user data according to its terms and conditions, GMail will still do likewise, as will Twitter, etc.

The difference is those running processes won’t share resources, which reduces the ability of a nefarious process to steal data from another Chrome process running on the same machine. It’s just an added layer of granularity to the Chrome sandbox.

I really can’t see how anyone can paint that as a bad thing?

Ok, great, then that means the article has this wrong, right? Again, I quote what I have responded to in this Verge article (and I emphasise in bold):

Chrome 67 is also increasing its use of site isolation, keeping each browser tab separate so that a site can’t easily access data from other open tabs…

I agree about increasing security, of course. So my misunderstanding is from this quote in the article right (maybe worded badly)?

Ok, great, then that means the article has this wrong, right?

No, the part of the quote from the article you’ve highlighted in bold is accurate. A site running in one tab cannot access data from another open tab, because the two tabs run as separate sandboxed instances in Chrome.

The article has it right; a site open in one tab cannot easily access data from other open tabs. This is a good thing; it makes Chrome more secure and stable.

It’s a background change affecting how Chrome handles resources on the local machine it is installed on. It has nothing to do with online data collection, either by Google or anyone else.

So, please, explain me, how would WebAuth work on my Mac with TouchID? Should I turn on some tumbler in settings, will it suggest something next time I log in somewhere? Cant figure out these in Chrome settings.

Don’t bother. This article is incredibly innacurate – no site currently supports WebAuthN. No idea how the author / editor got confused that Chrome now allows this to work with "most sites."

It’d be nice to see a list of what sites actually support this. It’d be a great feature, but if noplace I use supports it…

I’m just excited this is the update that finally supports windows precision touchpads. Sure, scrolling is still very laggy (even more so now), but at least it doesn’t feel delayed and lazy now.

how to use this with windows hello?

View All Comments
Back to top ↑