We have complicated relationships with our passwords. On one hand, they protect our accounts and the sensitive information within them. They provide a level of security intended to keep spammers and fraudsters out of our professional, financial and social media spaces.
On the other hand, as we connect to more sites and apps, we can start to lose control of our passwords. Most of us have ad-hoc ways of tracking them, but most of us also can’t go long without frantically requesting a password reset. According to a study by Yubico, a provider of hardware authentication security keys, users spend an average of 10.9 hours each year entering and/or resetting passwords.
Passwords have become a necessary evil of using the web, but their days as gatekeeper are numbered. As technology evolves, passwords are increasingly ineffective, and alternatives with greater security will likely replace them. With any luck, these alternatives will also be easier to manage.
One emerging technology primed to replace the password is WebAuthn. On March 4, the World Wide Web Consortium (W3C) approved WebAuthn as an authentication standard to increase web security on an international level. WebAuthn, which stands for Web Authentication, was designed to replace password-based encryption as a way of securing your online accounts. Through an API (application programming interface), WebAuthn lets websites communicate with an approved device to allow users access to a site or service.
The W3C’s approval makes WebAuthn an official web standard, which makes it much more likely to be accepted and used by website owners. Users who employ WebAuthn can access their online accounts using biometrics, mobile devices and/or FIDO (a tech industry association dedicated to reducing our reliance on passwords) security keys, but only if a site accepts the specification. Many mainstream browsers, including Google Chrome, Mozilla Firefox, and Microsoft Edge, already accept the standard. Apple also supports WebAuthn in preview versions of Safari.
When you use WebAuthn, you don’t need to enter a password to access your account. That’s because WebAuthn works with FIDO’s Client-to-Authenticator Protocol (CTAP), which will allows users to leverage common devices to easily authenticate themselves with websites or apps. Users can employ this technology in mobile or desktop environments. According to FIDO, “CTAP enables external devices such as mobile handsets or FIDO Security Keys to work with WebAuthn and serve as authenticators to desktop applications and web services.”
So, how does it work for the common user? Users can buy a physical security token, such as the Yubikey offered by Yubico, and plug it into their desktop or laptop computer. The code for the security key could also be stored within a device’s operating system. The WebAuthn API also allows browsers to use a mobile phone’s biometrics, like thumbprint readers or facial recognition, as a security key.
The WebAuthn specification uses public key cryptography to allow browsers to sign a challenge using a private key stored in an operating system or on a physical hardware token. Using this key eliminates the need for a password as long as the accessed site accepts WebAuthn. This approach is considered far more secure than logging in with a typed password, and it’s much simpler for the user too.
Because WebAuthn technology is still an emerging technology, our days of keeping sticky notes scribbled with passwords under our keyboards aren’t quite behind us yet. However, we are one step closer to a password-free online reality.