The password has long been considered the weakest link in online security. Cybercriminals use phishing scams, data breaches, password reuse and brute force attacks to steal your credentials in hopes of breaking into your personal accounts.
Although you can employ specific strategies to protect your accounts like crafting long and unique passwords, two-factor authentication and password managers, we could all agree that the old password system is clunky and susceptible to attacks.
Maybe it’s about time we get rid of the password and have something better take its place.
Thankfully, the wait is almost over. A new online authentication system is almost here – and it can revolutionize the way we secure our online accounts (and make them safer too.)
No more passwords?
The World Wide Web Consortium (W3C) just approved the Web Authentication API, also known as WebAuthn, for short, a new way to log into websites – one without passwords!
With the tech magic of the WebAuthn, instead of using the archaic username and password system, it lets you use hardware USB security keys or your biometric data like fingerprints, retina scans and facial recognition data to register and sign in to a site
Hopefully, this will provide better protection against phishing attacks and data breaches and move us a step closer to a truly password-free world.
Since WebAuthn now has W3C approval and it has been standardized, it’s only a matter of time before websites start integrating it with their authentication systems.
Fun fact: The W3C is the international organization responsible for the development of web standards.
What browsers will support WebAuthn?
Currently, Google Chrome, Mozilla Firefox and Microsoft Edge already support WebAuthn. Apple’s Safari browser also supports WebAuthn in its preview version on macOS, and it will likely roll out to its public version soon.
And speaking of hardware USB security keys, they’re starting to become popular with a growing number of online services. In fact, Google introduced its own brand of security hardware last year with the launch of its Titan Security Keys.
Web services that already have WebAuthn support include Dropbox and Microsoft.
How will password-free logins work?
Once WebAuthn is enabled on a site, you can then sign in to your account (or create a new one) then pair it with your phone to register an “authorization gesture.” That gesture can be your fingerprint, retina scan, or facial recognition data. If you’ve used fingerprint scanners and facial recognition to log in to your phone, you’ll be right at home with signing in with WebAuthn.
When paired, you can simply use that gesture to sign in to the website in the future. Think of it as similar to two-factor authentication but it uses your biometric data instead.
There are the different scenarios in which WebAuthn can be used. Here’s what to expect during the transition:
Registration on the phone:
- User signs into an existing account using a password or registers a brand new account
- The phone will then ask “Do you want to register this device with this website?”
- If the user agrees, the phone will then prompt for an authorization gesture (fingerprint, facial scan, PIN, etc.)
Authentication on a computer:
- User signs to a website using a browser and sees a “Sign in with your phone” option
- If the user selects this option, the browser will then display this message “Please complete this action using your phone”
- User’s phone will display a prompt/notification
- A prompt for the saved authorization gesture (fingerprint, facial scan, PIN, etc.) will then appear
- User signs in with the selected gesture
How will this affect us?
If this method becomes the de facto standard for online credentials, it can switch users from using passwords to individual security keys and unique biometric data instead. This will make phishing attacks more difficult, if not impossible, to execute.
Is it finally time to retire the old password system? With WebAuthn now an approved web standard, a world without passwords is almost here.
In other news, woman’s bank account drained through a fake customer support number
Sometimes when we are trying to solve a problem, we will rush through steps just to complete it and fix the situation as quickly as possible. That’s something cybercriminals are all too aware of. In this latest scam, they are using that fact to trick people into giving up personal information. Here is why you need to slow down and be careful online.