Web browsers are building a new way to log in, announced today by the standards bodies of the W3C and FIDO Alliance. Called WebAuthn, the new open standard is currently compatible with the latest version of Firefox, and will be compatible with the next versions of Chrome and Edge scheduled for release in the coming months.
WebAuthn has been working on its path towards W3C approval for almost two years, but today marks the first major browser support announcement. Apple has not commented on Safari support for WebAuthn, although the company is part of the working group that developed the standard.
Today's announcement is the latest step in a multi-year effort to push users away from passwords and towards more secure login methods such as biometrics and USB tokens. The system is already implemented in important services such as Google and Facebook, where you can log in with a Yubikey token built according to the FIDO standard.
"A world where phishing is impossible for users"
WebAuthn will make that feature easier to implement for smaller services, whether you use those devices as a second factor or replace the password completely. As more open source code is built for the new standards, it will be easier for developers to implement those session initiations, which may generate many more logins without passwords on the web.
"Previously, the work to back the tokens was happening between big companies like Google, Microsoft and Facebook, which would implement their own controllers," says Selena Deckelmann, who worked on the implementation of Firefox. "With WebAuthn, you can use commonly available libraries."
Because the FIDO standard is based on a zero-knowledge test, there is not a single character string that guarantees access to an account, which makes it much more difficult to take out a conventional phishing attack. These logins are still rare, even in the services where they are available, but they provide an important way for users and security conscious companies to protect themselves. And as more services move to support the stronger logins, the user population prepared for FIDO will only grow.
"What this really allows is to move from using passwords to using a device to reaching a world where phishing is impossible for users," says Deckelmann. "Now we are not there yet." It is our glorious future. But that's the way we all want to be. "