Will WebAuthn Finally Spell Doom for the Dreaded Password?

Passwords stink. And everyone knows it.

They are the weakest link in cybersecurity — easily stolen, guessed or toppled by password-cracking software. And with the average person managing between 100 to 130 online accounts, for everything from social media to online shopping, good password hygiene is a fantasy for most people.

Consider that a strong password is alphanumeric and includes a mix of symbols and capital and lowercase letters. They’re supposed to change often. Who can remember it all?

“There is no human being who is that smart,” says Frank Dickson, research vice president at IDC. “You just can’t do it.”

People use obvious passwords across multiple accounts “just to make life easier,” says Steve Wilson, vice president and principal analyst at Constellation Research. “And nobody knows they’ve lost a password until it’s too late.”

The good news: Soon, remembering passwords may be a job of the past.

Web Authentication (WebAuthn for short), a new standard proposed by the FIDO Alliance and the World Wide Web Consortium, could mean an end to traditional passwords.

WebAuthn is a set of anti-phishing rules that uses a sophisticated level of authenticators and cryptography to protect user accounts. It supports various authenticators, including physical security keys used today and emerging mobile and biometric technologies such as face recognition or fingerprints, says Dave Camp, vice president of engineering for Firefox at Mozilla.

For now, users can sign in to their accounts using external USB-based authentication systems.

WebAuthn Gains Traction with Businesses

The concept has been in the works since about 2014, but it now appears to have the support of industry heavyweights, including Apple, Google, Microsoft and Samsung.

When Mozilla released Firefox 60 in May, it included WebAuthn technology as a way to prevent phishing attacks.

“With Web Authentication, we’re giving people using Firefox the opportunity to add another layer of security to their browsing experience,” Camp says. “The end game here is to provide a secure alternative to passwords, using web-based technology.”

Dickson offers this example: Say someone wants to make an online purchase or buy a mobile app. When it comes time to authenticate that purchase, under a WebAuthn scenario, the person could receive an alert on their mobile device to confirm.

The person would then authenticate using facial recognition, a fingerprint, a swipe code or some other verification.

“It pings my phone, and says, ‘swipe to accept,’” Dickson says. “It’s doesn’t necessarily have to be a biometric.”

Does that mean death at last for the dreaded password? Not quite, Wilson says: “It’s more accurate to say that the initiative will see passwords disappear from routine logon. We will still have passwords for when our fingers are dirty and can’t be read, or if we need to recover from a lost phone scenario.”

Still, WebAuthn offers significant improvements over traditional passwords.

“It doesn’t take much to be better than a password because passwords are horrible,” Dickson says.

Change won’t happen overnight, he says. Instead, the move to Web Authentication will take time.

“The problem is creating standards so that everyone can agree,” he says. “That process takes a long time.”