The web just took a big step toward a password-free future

Illustration by Alex Castro / The Verge

Today, the World Wide Web Consortium (W3C) approved WebAuthn, a new authentication standard that aims to replace the password as a way of securing your online accounts. First announced last year, WebAuthn (which stands for Web Authentication) is already supported by most browsers, including Chrome, Firefox, Edge, and Safari. Its publication as an official web standard should pave the way for wider adoption by individual websites.

At its core, WebAuthn is an API that allows websites to communicate with a security device to let a user log into their service. This security device can range from a FIDO security key that you simply plug into a USB port on your computer to a more complex biometric device that allows for an additional level of verification. The important thing is that WebAuthn is more secure than the weak passwords people end up using for most websites, and it’s simpler than having to remember a string of characters in the first place.

Now that the standard has been approved by the W3C, the next step is for websites to integrate the standard. Dropbox was one of the first to do so last year, and Microsoft did so soon after. The password isn’t on its last legs just yet, but after today’s announcement, WebAuthn is one step closer to being a viable alternative.

Comments

Really great news. I hate passwords and account takeover is becoming more and more of a problem.

That said, the simplicity of passwords (works everywhere with text entry) is hard to beat. Hopefully, this standard will push to make using a fido key more ubiquitous.

All I need is a key that goes on my keychain and I’m satisfied. Someone keeps attempting to hack my gmail every so often (located in China) and that is worrisome. I’d like some peace of mind without having to remember a 30 character password with random symbols thrown in for good measure.

Enable two-factor for now.

Why do you have to remember it? No password manager :O ??

I use one, but a lot of people actually don’t. Maybe a key would actually be a good measure that people would use.

how does this interact with phones/watches/other things with no USB?

I’ve thought about getting a ubikey for a while, but I really only use my own laptop and phone, and it wouldn’t even work with my phone.

Yubikey offers USB-C and/or NFC enabled solutions for phone use. Later this year they plan on launching a lightning port key.

Google offers a USB key that uses Bluetooth for phone applications.

How does this work?

It’ll probably require an RSA token or some sort of fingerprint scanner or facial scanner to authenticate you when you try to login to a website. Just type in your email or username and then authenticate with your device. At least that’s my guess without reading info outside of this article.

That’s what I’m trying to understand as well.

Right now you authenticate yourself because you yourself do know the password. Also the password is created, and not giving to you.

In this case the device you use to authenticate has to be proven to belong to you. Where does that "proving" happen? How do I tell a website that this is my device? I suppose during initial login that stuff gets taken care of.

I’m interested though. I’ve speculating as well. I haven’t left to do any research on this, but this has caught my attention. I’m interested in this security technology.

I would guess existing standards and when you either sign up or turn on the feature in your options. I doubt the standards are going outside of RSA and this about as basic a tutorial as I found.
https://www.youtube.com/watch?v=E5FEqGYLL0o

It’ll be something like Touch ID or Windows Hello I think. At work, after entering my Bitlocker pin, I then log into Windows with the same pin (no fancy fingerprint reader or 3d webcam on my 5 year old Lenovo), and then I’m automatically logged into most of our intranet (still some legacy stuff that may never change, of course…)

What is the functional difference between this standard and what I do now:

I use Apple Keychain to store my usernames and (strong) passwords that are authenticated by FaceID on my iPhone.

??

It just eliminates the password?

This would also be for laptops. I’m assuming for both windows and mac.

Not mentioned in the article, but apparently you can just use your phone to authenticate.

This seems like the most useful. As long as it can confirm that your phone uses biometric authorization to unlock, a relatively frictionless 2-factor authentification on everything would be great.

I think the reason people tend to get confused on why these things are so much better than passwords, is because explanations need a small crypto primer. I’m not qualified to explain the math, but I think I can explain what you need to know without getting it horribly wrong.

So there are two kinds of crpyto to understand here. Symmetric cryptography is like a decoder ring. In the simplest case, all As become Ds, Ds, become Ls, etc. The "key" is just a map of one value to another, simple right?

Asymmetric crypto, what’s useful here, is more complicated.

Two people want to communicate securely, both so no one can read their messages, and they always know they’re talking to who they say they are, no one can impersonate anyone. Let’s say they have magical devices that generate key pairs. One key is "public," each person shares it with the world. The other key is private, they keep it hidden. Anyone who has the public key, can send the private holder a message that can only be decrypted with the private key that is secret.

So person A has a private key, and B’s public Key. B has A’s public key, and their own private key.

To start a conversation, A will grab B’s public key and encrypt a message that says "Hello, this is A, did you receive this message?" In response, B will take A’s public key, and send back "Yes, yes I did." Because A knows B could read the first message, they know B must be the holder of B’s private key, and vice versa. There’s more sophisticated things they do, but essentially they’ve just "challenged" each other and proven their identities. And no one else can read their messages. Often what they’ll do, is use this brief exchange to swap a simple key for that symmetric crypto I mentioned above, and just keep using that to have a conversation. When you hit an https website, that’s the simple explanation of what happens. Brief asymmetric conversation is used to exchange a symmetric key.

Asymmetric cryptography is basically magic.

The usb key/phone/biometric whatever devices are those magical devices. They securely store a private key, and do the cryptographic operations necessary to have a conversation that proves identity. When you register with a website with authn/fido/etc, what you’re doing is saying "this public key identifies me, when I login, I’ll prove to you that I have the corresponding private key." Authn provides a standard way for browsers and sites to have that conversation.

Because the crypto is all on the key, even a keylogger on a public computer or a virus on your PC can’t capture the details needed to steal your account. And a phishing website can’t impersonate another website, even if you fail to notice that goggle.com isn’t google.com, your device will know that goggle doesn’t know google’s keys.

I sincerely look forward to this being implemented in 11% of the sites that I use 7 years from now.

If it’s like most things, that 11% of sites will be where people spend 90% of their time online anyway.

Not good enough. For this to really work, it should be supported everywhere. Otherwise if I’m still expected to remember passwords, then it’s really no different and I’m still stuck remembering passwords.

Agreed, but the truth is it’s likely to be a very slow roll-out just like every other web standard. As long as the big players implement it that’s a good enough start for me, and it’ll result in others following suit.

It’s good enough to make a difference IMO. Yes, this will not remove all passwords online or even on websites but enough so that it is an improvement over the current status.

Should be using a cloud based password manager with 128 – 256 character passwords and not have to remember anything. This is pretty much a password and 2 factor in one place, what’s not to love? This should have a rapid adoption, but whether or not consumers are are using it is another question. The number of people that don’t actually use 2 factor and have passwords with their pet’s name, dictionary words, and birth dates is a good example of ignoring existing security measures.

That’s what password managers are for. Check out LastPass

This might be adopted quickly actually. User authentication systems are not something people cocr by hand anymore, there are very few big players in the grand scheme of things, that are used on 90% of sites. As soon as those libraries support it, adoption will soar.

View All Comments
Back to top ↑