Will the new WebAuthn standard replace the classic passwords?

21.03.2019 354

Despite all of the technological advancements, passwords remain the most popular way for people to secure and log into their various profiles and services. However, the classic passwords are often the weakest link in security.

“It’s common knowledge that passwords have outlived their efficacy. Not only are stolen, weak, or default passwords behind 81 percent of data breaches, they are a drain of time and resources”, W3C and FIDO Alliance say in a joint statement.

This may finally start to change. The World Wide Web Consortium (W3C) and the FIDO Alliance have recently announced that the Web Authentication API (WebAuthn) is now an official Web standard. This means web sites and applications will be able to use and offer password-free logins.

What is WebAuthn

WebAuthn removes the need for classic string passwords. Instead it allows the usage of fingerprints, and other biometric identification technologies. It’s also possible to use FIDO security keys and nearby devices.

WebAuthn is supported by Windows 10 and will become part of Android 7 and above with an update. Major browsers like Chrome, Edge and Firefox also support the standard already, while Safari is expected to do so soon.

Instead of passwords, WebAuthn creates one-time tokens for each login. Basically, you get a unique password for every login, every time. And you don’t have to remember or write anything. All you have to do is authenticate via a biometric marker, a FIDO security key or other means (i.e. a prompt on your smartphone).

Basically, the website or app will issue a request via the device to the user to prove that it’s really them. This doesn’t mean that the sites will know exactly who you are. It will be the same as with regular fingerprint scanners, for example. You will merely be a hashed string.
The sites won’t even get this information. Instead, they will simply receive a confirmation from the authenticator you use that, yes, it is indeed you. The actual biometric data will still be stored on the device as always.

All of this will make it much harder to hack profiles via logins. Even if hackers do intercept the token, it won’t do much good for them, as it’s a one-time use only. Of course, it’s not a 100% safety guarantee, but it’s a lot better than the current state.

What will happen with classic passwords?

Well, despite how cool, easy and practical the use of WebAuthn sounds, classic passwords won’t go anywhere, anytime soon. First, there are still billions of users who don’t have recent enough smartphones to support Android 7 and respectively use WebAuthn. There are even more people without FIDO keys.

Second, although the WebAuthn standard may be official, this only means it’s supported but not mandatory. Companies, websites and apps are not required to support it. It’s up to them to decide whether they want to or not.

The good news is that pretty much all of the big names already support it and this means it will gain some good initial traction. However, it will still take a lot of time until it becomes mainstream and users feel convinced enough it’s better than their trusty passwords.