Video: Are passwords passé? Raise your palm for biometrics.
Microsoft had a hidden surprise in its latest Windows 10 Redstone 5 Fast Ring preview: it's well on its way to killing off the need for you to keep a ton of unique secret passwords to log in to your favorite websites.
Edge still gets replaced by Chrome as the default browser on most Windows 10 devices, but soon it will be gaining a new and probably exclusive Windows Hello authentication feature that could make it a preferable browser for signing in to frequently visited sites.
WebAuthn, short for Web Authentication, is a W3C specification developed in conjunction with the FIDO Alliance, the group that developed the specification to let users sign in to websites using a security key, like Yubico's Yubikey. The catch was that the only browser that supported it was Google Chrome.
WebAuthn has bigger goals but importantly it is already supported in various stages by Mozilla's Firefox, Google Chrome, and Microsoft Edge. The spec reached the advanced Candidate Recommendation (CR) stage in March.
WebAuthn will, on supported websites, allow users to sign in using a security key like the Yubikey USB or NFC keys or Google's NFC and Bluetooth FIDO Titan key, as well as a biometric like a fingerprint or eye scan stored in a phone instead of a password.
It allows devices to sign in via USB, Bluetooth Low Energy, or NFC.
Firefox 60's addition of WebAuthn offered a peek at what things could be like in future when website support is broader; Dropbox, which already allowed Chrome users to sign in with Yubikey as a second factor, extended that option to Firefox users too.
Chrome 67 added WebAuthn support, too. In simple terms, it will allow users to register key pairs with a WebAuthn-supported website and a security device.
Microsoft boasted in a blog that Edge's implementation of the CR version of Web Authentication is "the most complete support for Web Authentication to date, with support for a wider variety of authenticators than other browsers".
"Windows Hello allows users to authenticate without a password on any Windows 10 device, using biometrics -- face and fingerprint recognition -- or a PIN to sign in to websites. With Windows Hello face recognition, users can log in to sites that support Web Authentication in seconds, with just a glance." It also notes FIDO2 devices are also supported.
Obviously Microsoft doesn't have a smartphone platform for future uses of WebAuthn aimed at consumers, but it hasn't been shy of creating a bunch of apps across Android and iOS of late that make it easier to connect them with Windows 10 devices.
Either way, the justification for its support is pretty plain to understand. People plus passwords equals a potential security disaster, as seen by the silly passwords, password reuse, dumb password rules, and massive data breaches where credentials are leaked.
"We trust websites to process credit-card numbers, save addresses and personal information, and even to handle sensitive records like medical information," said Microsoft.
"All this data is protected by an ancient security model -- the password. But passwords are difficult to remember, and are fundamentally insecure -- often reused, and vulnerable to phishing and cracking."
Microsoft shows how Windows Hello can let users authenticate themselves without a password on any Windows 10 device using biometrics.
Previous and related coverage
Browser makers take an important step in reducing the need for passwords and all the security threats they bring.
If you trust Google, this is the second-factor security key for you.
Firefox becomes first browser to support the Web Authentication API, taking the world closer to no-password logins.
Microsoft's Windows 10 Insider test build 17682 adds new RSAT tool option. Meanwhile, Microsoft is adding parental controls to its Launcher and Edge apps for Android.
Microsoft wants to banish 'inconvenient, insecure, and expensive' passwords. So what's going to replace them?
Admins can now significantly reduce the risk of accounts being compromised by password-spraying attacks.
Go directly to the login screen. Do not pass the lock screen. Do not view any pretty pictures.