Firefox 60 lands: It's world's first browser to give you password-free logins, says Mozilla

Firefox becomes first browser to support the Web Authentication API, taking the world closer to no-password logins.
Written by Liam Tung, Contributing Writer

Video: How Mozilla plans to win back Firefox users.

Mozilla has released Firefox 60 with support for a new option to sign in to websites without using a password.

That's thanks to an emerging W3C standard called Web Authentication or WebAuthn, which is enabled by default in Firefox 60 and is coming later this month to Chrome 67, and Microsoft Edge. It's also under consideration for Safari.

By removing passwords, the WebAuthn API will make phishing attacks a lot harder and gives users more convenient authentication choices, including hardware security key dongles such as a YubiKey device, fingerprint readers on smartphones, or facial-recognition systems like the iPhone X's Face ID.

A key advantage, like the FIDO Alliance's predecessor U2F standard for security keys, is that WebAuthn generates cryptographic public-private pairs for signing in, which means no shared secrets that could be leaked if a site is hacked.

Though the standard is currently only rolling out to desktop browsers, in future mobile browsers are likely to support it too.

See: How to build a successful developer career (free PDF)

Beyond signing into websites, WebAuthn combined with another WC3 standard in development, the Payment Request API, will one day make it possible to authorize online purchases from a mobile browser using a fingerprint.

But as it stands, Firefox for the desktop is the first browser to support WebAuthn. According to Mozilla, WebAuthn currently supports security keys like Yubico when plugged into a USB port, but in future it will enable biometric login from mobile devices following a notification issued by a website, so long as the site also supports WebAuthn.

Aligning with Firefox 60's WebAuthn support, Dropbox this week rolled out support for the standard too.

Dropbox has supported U2F since 2015 but only allowed secure sign-in to Dropbox from Chrome. Dropbox sees potential in WebAuthn because it will allow secure sign-in from more browsers and eventually more devices.

However, for now, Dropbox and Firefox support for WebAuthn doesn't entirely remove the need for passwords and currently serves as a means of more broadly supporting two-factor authentication.

See: Google Analytics 101: Executive's guide to measuring business data

Also arriving with Firefox 60 is Mozilla's new money-making scheme "sponsored stories", courtesy of its acquisition of the read-it-later service, Pocket. However, users can disable sponsored stories if they want.

The feature is rolling out to some US users and will appear in New Tab within Pocket recommendations. Mozilla stresses it is respecting user privacy by generating recommendations on the computer and that browsing history remains private.

Finally, Mozilla has released Firefox Quantum for Enterprise, a version of the browser for business that allows admins to use Group Policy for Windows machines or a JSON file that works for Windows, Mac and Linux.

Organizations can choose the standard Firefox Rapid Release with new features every six weeks or the slower Extended Support Release, which is updated annually.

Previous and related coverage

Chrome, Edge, Firefox user? Coming your way: New spec that cuts out passwords

Browser makers take an important step in reducing the need for passwords and all the security threats they bring.

Firefox 60 will show 'sponsored stories' but you can disable them, says Mozilla

Firefox users will soon start to see sponsored stories in new tabs, but Mozilla says it will respect users' privacy.

Firefox in 2018: We'll tackle bad ads, breach alerts, autoplay video, says Mozilla

Firefox could get its own ad blocker and breach notifications alerts, according to Mozilla's 2018 roadmap.

Google's new Gmail security: If you're a high-value target, you'll use physical keys

Google will launch a new service to protect politicians and senior executives from sophisticated phishing attacks.

Editorial standards