Passwords just don’t work all that well for our modern-day websites and web apps: They’re insecure, they’re hard to remember, and they’re a lot of hassle to manage for only the basic account protection that they provide. Now Chrome and Firefox are leading the charge to kill off passwords on the web for good.
This latest push to make logins seamless, secure, and smooth comes via the Web Authentication standard proposed by the FIDO (Fast Identity Online) Alliance for authentication protocols, and the World Wide Web Consortium (W3C), the standards organisation responsible for the bulk of what makes up the internet. It’s supported in Firefox 60 and Chrome 67, and here’s how it works.
Passwords bad, biometrics good
The idea behind Web Authentication (WebAuthn for short) is that you can use all manner of options in place of a password: A fingerprint, a webcam, a USB stick plugged into your computer, and so on. These login methods have been around for a number of years, but Web Authentication is designed to get them standardised across the web, and more seamlessly integrated into online logins.
As with a password login, the protocol allows sites to challenge users to prove their identity. In this case though, everything is locked down and secured as much as possible — it only works across HTTPS and no personal information is transmitted, so no one looking over your shoulder or sat five tables over at the coffee shop is going to be able to steal your credentials.
In practice there are a few different ways this could work, but one scenario is signing up on a new account on a website using your phone. Rather than entering yet another username or password, you’re asked if you want to register your current device—choose yes, confirm your identity with a fingerprint or a PIN code (just like you would if you were buying something from an app store), and you’re in.
If you’re signing in on a laptop, you might get a prompt to login using your phone — you can then use your phone’s fingerprint or face login method to prove you are who you say you are, with communication handled via NFC or Bluetooth. Alternatively, the site could check for a previously registered USB stick slotted into the laptop, rather than prompting for a password.
It’s really a logical extension of what browsers already do: Remembering your passwords for you and auto-populating login fields whenever they pop up. Many of us already have all our login credentials securely stored in the browser, with something like a Windows or macOS account password stopping others from accessing the browser and opening up whatever sites they like.
With WebAuthn, this idea gets even simpler, with only a single tap required in a lot of cases. One added benefit is that the next time a batch of passwords spills out on the web, you don’t have to worry quite so much, because you’ve still got your fingerprint, or the contours of your face, or a physical USB stick to fall back on.
If you use Smart Lock on a Chromebook, or your Apple Watch to unlock your Mac, it’s almost exactly like that. When the desktop login screen appears, if a verified device is close by, the login process starts automatically—there’s no need to select a user account or type out a password. What WebAuthn is looking to do is make accessing websites just as easy.
There are still issues to be ironed out, like having a robust recovery system in case you get hacked, and ensuring it’s easy to switch from an old phone to a new phone when you upgrade. But it’s a significant step up in both convenience and security from thinking up 100 passwords and usernames, or even having to fire up a two-factor authentication app every time you want to log in somewhere new.
As we’ve mentioned, the technology is now supported in the stable releases of Mozilla Firefox and Google Chrome, and is coming to Microsoft Edge in the near future. So far Apple hasn’t made much comment on supporting WebAuthn in Safari — the company is a member of W3C but not FIDO, so make of that what you will.
When can I use it?
Even with that browser support, it’s still an experimental technology, and only a standard the W3C has recommended that sites adopt—not a requirement. We’ve yet to see any popular consumer sites make use of the new tech, though the big names in the industry are making the right noises about supporting it in the future.
You can get something near to WebAuthn now though, in preparation. One option is the FIDO Universal 2nd Factor (U2F) standard, kind of a forerunner to Web Authentication — Gmail is one site that supports U2F, so instead of using an authentication app, you can use a verified USB stick instead. The tech also works with Facebook. This isn’t replacing your password though, but rather adding a two-factor safeguard.
While we wait for WebAuthn to arrive, you should at least be storing your passwords as securely as possible. We’ve long championed the idea of using a reputable password manager to keep an eye on your login credentials, and the best packages will even suggest hard-to-crack passwords for new sites. These password managers — including 1Password, Keeper, Dashlane, and LastPass—work across desktop and mobile, for apps and websites.
Most modern browsers will do a lot of this password management for you, and if you haven’t already switched on the functionality, it’s well worth doing so while you wait for WebAuthn to kill off the password — in Chrome you can find the option under Advanced and Manage passwords in Settings, for example; in Firefox, it’s under Privacy & Security and then Forms & Passwords in Preferences.
Safari’s password management goes beyond the browser with the help of iCloud Keychain, an all-in-one system for remembering usernames and passwords across multiple devices (as long as those devices are made by Apple)—you can set it up via the iCloud option on your account page in iOS Settings. Apple is boosting this functionality in iOS 12 and macOS 10.14 Mojave by offering to generate strong passwords on your behalf as well as store them.
Not to be outdone, Google has extended Smart Lock to remember your passwords and login credentials across every device you own (as long as those devices are running Google software). The passwords Google stores in Chrome and Chrome OS are automatically carried over when you register an Android device with the same Google account, enabling easy access to your apps. You can also view all your passwords on the web.
The user experience for these most modern services is similar to what WebAuthn will bring, but passwords are still underpinning the process—these tools just make it easier to manage those passwords.
What Web Authentication wants to do is erase passwords altogether, making logging into websites as easy as unlocking your phone with the touch of a finger. Work on the standard continues, but you’ll have to keep remembering your passwords for a while yet.