Microsoft Edge Finally Adds WebAuthn Support: What Is Web Authentication?
Microsoft's own Bill Gates declared in 2004 that the password is dead. Embarrassingly for what is undoubtedly one of Silicon Valley's most influential figures, after fourteen years, the password still seems to be very much alive and kicking. With that said, tech giants are trying to kill it, and Microsoft is certainly a part of this effort.
Last week, the Redmond-based company announced that users will soon have access to a piece of technology that will allow them to navigate through their everyday online lives without needing to remember all those complex passwords.
It's called WebAuthn, which is short for Web Authentication, and it's coming to the Edge browser. Users will need to wait, though. The new feature is set to arrive either with Windows 10 version 1809 or with 1903 meaning it will come out either in October or in the first half of next year. For the people signed up for Windows 10's Insider program, the technology is already available.
You have probably used a fingerprint reader. Most likely your laptop and/or smartphone has one. When you touch it, the operating system recognizes that you are who you say you are, and it lets you in. Although there's a password or a PIN that acts as a backup, you rarely use it, and you have therefore put less effort in trying to remember it.
The idea of WebAuthn is to bring this convenience to the World Wide Web and your online accounts. In addition to biometric data, WebAuthn can work with hardware tokens, and although Edge users will need to wait before they can see it in action, Google Chrome and Mozilla Firefox have supported the standard for a while now.
Why does WebAuthn exist?
Because we have a serious problem with passwords. People just can't remember multiple strong and unique passwords, and they resort to protecting their accounts with sequences of numbers, simple words, and keyboard patterns which, in this day and age, just isn't good enough. Password reuse is rampant, and data breaches are now an everyday occurrence.
Instead of passwords, WebAuthn uses cryptographic keys which, the experts explain, can't be forgotten, phished, or stolen.
Why hadn't I heard of WebAuthn until today?
In a word, because it's not quite ready yet. In 2016, the World Wide Web Consortium (W3C) created the Web Authentication Working Group whose purpose was to develop what we would end up knowing as WebAuthn. It wasn't until March of this year that the standard was published as Candidate Recommendation which basically means that W3C is not ready to fully endorse it.
When it's finished, we're pretty sure that web application developers will be quick to implement it as a login option, but we'll then be faced with hardware problems. Although more and more PCs and phones are shipped with biometric devices, fingerprint, face, and retina readers are far from ubiquitous. The hardware tokens that act as an alternative cost money which could slow down adoption as well.
What do I do while I wait for WebAuthn to become the norm?
As an authentication tool, the password is riddled with faults, and sooner or later, it will be replaced. Although WebAuthn might very well turn out to be the thing that kills it, it's still not a viable alternative which means that we need to find a way of staying safe despite the current system's flaws.
The best way to do it is to use a password management application like Cyclonis Password Manager. It will let you use complex, unique passwords for all your accounts, and it will create them for you. It will store them in an encrypted vault meaning that nobody but you will have access to them, and it will give you a few additional extras like syncing across multiple devices and automatic login for free.