The World Wide Web Consortium and Fido Alliance Announce WebAuthn: What Does That Mean?
Usually, you're not presented with that many options when you're creating a new online account. You obviously have to create a password, and for most people, this means going down one of two routes – a simple, easy-to-remember, and/or reused password that puts their accounts at risk; or a long, hard-to-guess password, that is a nuisance to type and a pain to remember. It should go without saying that both options are not exactly ideal. So, is there anything that can possibly change the way things are at the moment? Well, there is, and it might actually be going somewhere.
WebAuthn – the passwordless alternative
WebAuthn, short for Web Authentication, is a non-proprietary standard that facilitates the communication between websites and a security device. Two online consortiums, the World Wide Web Consortium (WC3) and FIDO Alliance, have been working on it for the last few years, but the concept can trace its roots back to FIDO Alliance's Universal Authentication Factor (UAF) API from 2014.
The goal of both WebAuthn and UAF is to provide a new, secure way of logging in to online accounts without the need to remember or enter any passwords. For a variety of complicated reasons, UAF failed to make an impression on our everyday lives, but it would appear that WebAuthn might just be different.
On Monday, the WC3 and FIDO announced that WebAuthn is now an official web standard. In simple terms, this means that the experts are confident enough to start advising web and app developers to implement it into their products. To understand how all this is going to affect us all, we need to take a look into how WebAuthn works.
How does WebAuthn work?
From a user's perspective, things are pretty straightforward. The idea is, instead of entering a username and a password, you either use the biometric authentication mechanisms on your computer or smartphone, or you utilize a hardware token that can be carried on a key ring and works with USB, NFC, Bluetooth, or a similar communication protocol. There are no login credentials at all, which sounds like an appealing concept. But what about the security aspect?
While the process is simple on the face of it, behind the scenes, a WebAuthn login is a fairly complex operation. It's all based on public key (also known as asymmetric) cryptography, which means that two keys are involved – a public and a private one. Every single one of your accounts gets a pair of cryptographic keys which your computer or hardware token generates upon registration. The public key is sent to the service provider, and the private one is stored on your device. When you're trying to log in, the service provider sends a challenge which your device signs and encrypts with your private key. The only way to decrypt the challenge and see the signature is with your public key which is how the service provider knows that you are who you say you are.
There are more than a few security benefits to this scheme. First of all, signing in requires two keys stored in two different locations. Even if the crooks somehow manage to steal or intercept your public key, they'll have no way of logging in without the private one which, as you may remember, never leaves your device.
What's more, unlike passwords, cryptographic keys can't be guessed stuffed, reused, or phished. In other words, most of the attacks that traditionally work on passwords aren't effective against a WebAuthn scheme.
The new web standard is remarkable because it's one of the few examples of a technological innovation that not only improves usability but also results in better security.
So, the password is dead, then, right?
While it is certainly something to look forward to, we reckon that the demise of the password is still a long way away. There's little doubt in anyone's mind that the technology behind WebAuthn is sound, but there are still some obstacles to overcome.
For one, WebAuthn is a web standard, and as silly as it sounds, the word "standard" in its classical sense is a bit of a taboo in the online world. Take passwords, for example. We've used them as our primary login mechanism for quite a while, but even now, decades after they first appeared, we still can't agree on what is and what isn't a strong password. In much the same way, despite the obvious advantages, vendors don't seem to be on the same page when it comes to how quickly WebAuthn should be implemented.
Google's Chrome was the first browser to support WebAuthn, but it wasn't until a few months later that Firefox, another big name in the industry, implemented it. Microsoft took its sweet time incorporating WebAuthn into Edge, and Apple is still experimenting with the support for Safari. The situation is not much different in the mobile landscape. Last week, FIDO announced that very soon, all phones and tablets running Android 7.0 or higher will be FIDO-certified. WebAuthn is at the core of the FIDO2 protocol meaning that these devices will effectively support passwordless login. Unfortunately, we've yet to see any information on when the standard will be incorporated in Apple's iOS. And even if all vendors embrace WebAuthn for their newer devices, you can't ignore the mountains of legacy systems that will be left behind.
Of course, after hardware vendors adopt it, website and application developers will all need to implement it as a login mechanism. In other words, WebAuthn is unlikely to completely replace the password any time soon. And until it does, you need to make sure that your accounts are as well protected as possible.
Using a password management application like Cyclonis Password Manager is the best way to do it. With it, you can create long, complex passwords without worrying about remembering them. In this day and age, relying on your brain to do this is simply not a good idea, and the best thing about letting Cyclonis Password Manager do all the work for you is that the autofill and autologin functions of the browser extension will bring additional convenience.