Juggling passwords is a chore, and soon you might not have to

News
By Paul Lilly
published

A newly approved web standard supported by every major browser could let you log into all your accounts without a password.

Password managers like LastPass exist because (A) you should be using strong, difficult to guess and unique passwords for every important account, and (B) remembering several or even dozens of passwords is no easy task. Fortunately, the web is moving towards an easier and more secure way of doing things thanks to WebAuthn.

WebAuthn, which is short for Web Authentication, is an API that allows for secure, password-less logins. It's not a new standard, but up until now, it was not an official one. The World Wide Web Consortium (W3C) changed that today by declaring WebAuthn as an official web standard, thus paving the road for more widespread adoption.

"Now is the time for web services and businesses to adopt WebAuthn to move beyond vulnerable passwords and help web users improve the security of their online experiences," said Jeff Jaffe, W3C CEO. "W3C's recommendation establishes web-wide interoperability guidance, setting consistent expectations for web users and the sites they visit. W3C is working to implement this best practice on its own site."

The WebAuthn API allows users to log into websites using biometric security measures, such as fingerprint scanning or facial recognition. It can also be used with FIDO security keys that plug into USB ports, and mobile devices such as smartphones to verify a user's identity.

Having a standard is one thing, but actually utilizing it is another. One thing that works in the API's favor is that it is already supported in Windows 10 and Android, and by every major web browser. That includes Chrome, Firefox, Edge (which is being rebuilt around the same engine as Chrome), and Safari.

That said, support is not automatic—websites have to specifically code support for the API. It's W3C's hope that this will take place sooner than later.

"Web services and apps can—and should—turn on this functionality to give their users the option to log in more easily via biometrics, mobile devices and/or FIDO security keys, and with much higher security over passwords alone," W3C says.

For now, you'll still have to remember your passwords, or offload the task to a password manager. Perhaps not for long, though.

Paul Lilly
Paul Lilly

Paul has been playing PC games and raking his knuckles on computer hardware since the Commodore 64. He does not have any tattoos, but thinks it would be cool to get one that reads LOAD"*",8,1. In his off time, he rides motorcycles and wrestles alligators (only one of those is true).

See comments