Passwords have long been the global standard for basic authentication and sign-in on the web. But several groups are working toward a future where passwords might be a thing of the past.
The FIDO Alliance and the World Wide Web Consortium (W3C) announced a new security and sign-in standard called Web Authentication (WebAuthn) on Tuesday. While the standard has been in the works for several years now, today’s announcement marks an important milestone in its development.
WebAuthn promises users a simpler and much more secure way of signing into a website or an online service. Rather than relying on text-based passwords, the new standard would use biometric methods or USB tokens to securely sign users in.
What that would look like in a practical sense is pretty simple. Instead of typing in a password, you’d simply authenticate via fingerprint or Face ID on a smartphone, or by inserting a USB security key into your computer. These methods could be combined with a password for a two-factor authentication-style system.
The standard, which was developed by FIDO, will also make phishing attacks much harder to pull off. That’s because WebAuthn is based on a cryptographic concept that forgoes reliance on a single string of characters. It’ll also address password reuse, as the system would ensure that users use a separate key for each service or site.
Systems like this already exist, but their use is far from widespread. Perhaps the most important thing about WebAuthn is that it’s an open standard, meaning that it could be implemented across smaller sites and services and not just restricted to big players like Google or Facebook.
And there’s already progress on wider adoption. WebAuthn is already supported in the latest version of Firefox and there are plans to implement the standard in upcoming versions of Google Chrome and Microsoft Edge. While there’s no word on Safari implementation just yet, Apple is part of the group that helped to develop the standard.
As massive data breaches get worse — and seemingly more common — a new standard like WebAuthn could do wonders to mitigate password theft. And while their use might be restricted to security-conscious users and businesses in the near term, the ultimate goal of such systems is a world where phishing and password theft is, basically, impossible.