Remembering passwords for every web site and online service is about to become a thing of the past.
Keeping a list of scrambled letters and numbers in your head for logging in online is about to become a whole lot easier with a new web standard.
Web Authentication or WebAuthn will do away with passwords and stop hackers from stealing user information and credentials because web sites and computers will not hold any login data.
Instead, biometrics and smartphones will log web users on to services and sites.
“WebAuthn will change the way that people access the Web,” said Jeff Jaffe, chiefexecutive of the World Wide Web Consortium (W3C), the body that controls web standards.
Smartphone alerts
He gave an example of a user visiting a web site and entering their user name.
They then get an instant alert on their smartphone. Tapping the alert message then logs them into the web site without needing a password.
“While there are many web security problems and we can’t fix them all, relying on passwords is one of the weakest links. With WebAuthn’s multi-factor solutions we are eliminating this weak link,” said Jaffe.
The WebAuthn standard is ready to go– only Apple is standing in the way of full implementation across every major browser.
Microsoft (Edge), Google (Chrome), Mozilla (Firefox) are already inviting developers to include WebAuthn on their sites.
No more phishing attacks
“After years of increasingly severe data breaches and password credential theft, now is the time for service providers to end their dependency on vulnerable passwords and one-time-passcodes and adopt phishing-resistant FIDO Authentication for all websites and applications,” said Brett McDowell, executive director of the FIDO Alliance.
Besides WebAuthn, FIDO is developing the Client-to-Authenticator Profilethat works in a similar way to WebAuthn, relying on biometrics and other data besides passwords.
Biometrics are held on the device instead of a server. User identification is carried out locally and an ‘OK’ message is sent to the server confirming the user is who they purport to be.
“User credentials and biometric templates never leave the user’s device and are never stored on servers,” says FIDO.