Chrome, Edge, Firefox user? Coming your way: New spec that cuts out passwords

Browser makers take an important step in reducing the need for passwords and all the security threats they bring.
Written by Liam Tung, Contributing Writer

Video: New Google Chrome filter will only eliminate the most annoying ads

Chrome, Edge, and Firefox will support a new Web Authentication API that should give more protection against phishing and reduce the need for passwords.

The WC3 Web Authentication API specification, or WebAuthn, promises a simpler and safer way of signing up to a site. Rather than register with a username and password, the user registers a fingerprint, retina, or other biometric stored in a smartphone.

The system relies on public-key cryptography and ensures that each site a user signs up to has its own key pairs, addressing the common problem of password reuse.

Chrome 67 and Firefox 60 will ship with the WebAuthn API enabled by default when they reach stable release in May.

Once this API is available, a person could visit a site on a laptop, hit the sign-up button, and then receive a prompt on a smartphone asking the user to register.

The registrant needs to provide an 'authorization gesture', which could be a PIN or a fingerprint that then becomes linked to that account. In future, the individual will be able to sign in again with the same gesture.

See also: Password management policy

The API would allow application developers to offer the type of sign-in processes that Google and Microsoft have rolled-out for their respective users.

As Duo Security's Nick Steele recently noted, the WebAuthn spec draws on the FIDO Alliance's earlier standard called UAF or Universal Authentication Factor, but has a number of technical advantages and, more important for its long-term prospects, has backing from Google, Microsoft, and Mozilla.

The specification in January moved to the Candidate Recommendation (CR) stage of approval as a standard.

Although Apple's Safari browser doesn't currently support WebAuthn, it has several staff on the Web Authentication working group.

Previous and related coverage

Google now blocks uncertified Android devices from using its core apps

Google closes a loophole that allowed uncertified devices to skip its compatibility tests.

Snooping on HTTPS is about to get harder: TLS 1.3 internet encryption wins approval

The latest version of the protocol for HTTPS secure connections gets green light from the IETF.

Firefox in 2018: We'll tackle bad ads, breach alerts, autoplay video, says Mozilla

Firefox could get its own ad blocker and breach notifications alerts, according to Mozilla's 2018 roadmap.

Passport name out, Hello anchors Windows 10 MFA platform

Windows 10 Anniversary Update showcases evolution of Microsoft's multi-factor authentication efforts

Why passwords are a terrible method of authentication (TechRepublic)

BioCatch's VP Frances Zelazny explains how biometric security could soon replace passwords.

Editorial standards