By now it’s crystal clear to just about everyone that the password is a weak and frankly meaningless form of authentication, yet most of us still live under the tyranny of the password. This, despite the fact it places a burden on the user, is easily stolen and mostly ineffective. Today, two standards bodies, FIDO and W3C announced a better way, a new password free protocol for the web called WebAuthn.
The major browser makers including Google, Mozilla and Microsoft have all agreed to incorporate the final version of the protocol, which allow websites to bypass the pesky password in favor of an external authenticator such as a security key or you mobile phone. These devices will communicate directly with the website via Bluetooth, USB or NFC. The standards body has referred to this as ‘phishing-proof’.
Yes, by switching to this method, not only will you eliminate the need for a password — or to come up with a 20-character one every few weeks to please the security gods — but the whole reason for that kind of security farce will disappear. Without passwords, we can eliminate many of the common security threats out there including phishing, man-in-the-middle attacks and general abuse of stolen credentials. That’s because using a system like this, there wouldn’t be anything to steal. The authentication token would only last as long as it takes to authenticate the user and no more and would require a specific device to authenticate.
The WebAuthn specification offers several examples of how this could work. In one example, you are working on a laptop and you access a website that requires you to log in. Instead of a user name and password, you get a prompt to check your phone. You tap the prompt on your phone and you are logged in without the need for entering anything.
Brett McDowell, executive director of the FIDO Alliance certainly saw the beauty of this new approach. “After years of increasingly severe data breaches and password credential theft, now is the time for service providers to end their dependency on vulnerable passwords and one-time-passcodes and adopt phishing-resistant FIDO Authentication for all websites and applications,” McDowell said in a statement..
WebAuthn is not quite ready for final release just yet, but it has reached the “Candidate Recommendation (CR) stage, which means it’s being recommended to the standards bodies for final approval.
No security method is fool-proof, of course, and it probably won’t take long for someone to find a hole in this approach too, but at the very least it’s a step in the right direction. It is long past time that we come up with a new password-free authentication technique and WebAuthn just might be the answer to the long-standing problem of passwords.