There are so many hassles and problems that can be tied to the necessity of securing accounts, websites and the like with passwords. Passwords that, of course, can be forgotten. Passwords that are in many cases too simplistic, which facilitates an ease in remembering them, but makes them also easier to crack.
Ideally, it would be worthwhile to slowly move away from a reliance on passwords, which is something that an announcement from the World Wide Web Consortium and the FIDO Alliance today could hopefully be a step toward achieving.
Today’s W3C announcement builds on the unveiling last year of WebAuthn — short for Web Authentication — and notes that it’s now an official web standard. It works as a password-free authentication mechanism that lets users forgo passwords in favor of an authenticator like a biometric ID to register and authenticate themselves on websites as well as in mobile apps.
Per the W3C, WebAuthn is already supported by major browsers like Chrome, Firefox, Safari and Edge, and today’s announcement should help spur its wider usage across the web as a whole.
As part of today’s announcement, Microsoft vice president for program management in the company’s identity division Alex Simons said that this work has been a “critical piece” of Microsoft’s commitment to a password-free world. “Today,” he said, “Windows 10 with Microsoft Edge fully supports the WebAuthn standard, and millions of users can log in to their Microsoft account without using a password.”
Mozilla cryptography engineer J.C. Jones went so far as to call this new standard the “best technical response” to protect against phishing attacks “out of all multi-factor authentication solutions I know of.”
By way of adding additional context to why a standard like this is so important, the WC3 announcement noted with a bit of understatement that passwords outlived their usefulness arguably a long time ago. According to the organization, “stolen, weak or default passwords” are behind 81 percent of data breaches, and they also cost time and resources to enter and regularly reset them. Meanwhile, multi-factor authentication solutions like one-time codes delivered via text message do add an additional level of security, but they’re still no guarantee, “aren’t simple to use and suffer from low opt-in rates.”
Says Duo Security senior R&D engineer James Barclay: “The WebAuthn specification is a major and collaborative leap forward in the evolution of simpler, stronger user authentication .. WebAuthn’s security and privacy protections, built-in phishing resistance and ease-of-use give it the potential to drive widespread adoption across enterprise and consumer markets, making everyone safer as a result.”