Someday all our problems with passwords could be a thing of the past. Firefox 60 is the first browser to support WebAuthn, a new standard for web authentication developed by the W3C in collaboration with FIDO Alliance and support from Google, Microsoft and Mozilla to provide alternative ways for web access.
The FIDO (Fast IDentity Online)Alliance is an industry consortium launched in February 2013 to address the lack of interoperability among strong authentication devices and the problems users face creating and remembering multiple usernames and passwords. This video introduces FIDO and its goals:
WebAuthn defines a standard web API that can be incorporated into browsers and related web platform infrastructure which gives users new methods to securely authenticate on the web, in the browser and across sites and devices.
Under development since 2016 you can think of WebAuthn as an evolution of the FIDO U2F and UAF protocols. It continues in the FIDO tradition of allowing for using credentials for step-up authentication.
However, its most significant innovation is in enabling users to authenticate to services without necessarily needing the user to identify themselves first, through the use of a username and password combination.
Last month, when W3C advanced WebAuthn to the Candidate Recommendation (CR) stage, W3C CEO Jeff Jaffe stated:
“Security on the web has long been a problem which has interfered with the many positive contributions the web makes to society. While there are many web security problems and we can’t fix them all, relying on passwords is one of the weakest links. With WebAuthn’s multi-factor solutions we are eliminating this weak link. WebAuthn will change the way that people access the web.”
We are all aware of the problems of passwords: bad ones are easy to guess, strong ones are hard to remember and all passwords can be stolen by phishing attacks. While one-time codes can provide extra protection, they are hardly used and can also be phished.
Worse still, passwords are widely reused so a successful phising attack can give the perpetrator access to multiple websites and devices used by the victim.
WebAuthn aims to eliminate these problems and Firefox 60 will ship with the WebAuthn API enabled by default, providing two-factor authentication built on public-key cryptography immune to phishing as we know it today. It will support authentication using standard USB-connected FIDO U2F device; there are many of these compliant tokens sold with names like Yubikey, U2F Zero, and others.
Introducing the new security measure on the Mozilla blog, Nick Nguyen writes
With Firefox, WebAuthn allows people to use a single device like a YubiKey to log into their online accounts without typing a password, or as secondary authentication after entering a password. Only websites that have adopted WebAuthn will recognize your YubiKey and allow you access. Essentially, WebAuthn is a set of anti-phishing rules that uses a sophisticated level of authenticators and cryptography to protect user accounts. It supports various authenticators, such as physical security keys today, and in the future mobile phones, or biometric mechanisms such as face recognition or fingerprints. When your YubiKey is plugged in, the website will read it and automatically log you into your accounts.
For now WebAuthn relies on hardware keys, like YubiKeys, either on their own or alongside passwords. In future it could utilise any number of authentication methods including Windows Hello, face or fingerprint ID, or even a PIN terminal.
Once a user has authenticated at their end, no credentials leave their device – all a website sees is confirmation that authentication was successful – so there is nothing to steal.
Firefox is the first browser support WebAuthn, but it’s also coming in the next version of Google’s Chrome and also in Microsoft’s Edge. That should improve web authentication compared to earlier attempts to support the technology.