FIDO Alliance and W3C have a plan to kill the password

By now it’s crystal clear to just about everyone that the password is a weak and frankly meaningless form of authentication, yet most of us still live under the tyranny of the password. This, despite the fact it places a burden on the user, is easily stolen and mostly ineffective. Today, two standards bodies, FIDO and W3C announced a better way, a new password free protocol for the web called WebAuthn.

The major browser makers including Google, Mozilla and Microsoft have all agreed to incorporate the final version of the protocol, which allow websites to bypass the pesky password in favor of an external authenticator such as a security key or you mobile phone. These devices will communicate directly with the website via Bluetooth, USB or NFC. The standards body has referred to this as ‘phishing-proof’.

Yes, by switching to this method, not only will you eliminate the need for a password — or to come up with a 20-character one every few weeks to please the security gods — but the whole reason for that kind of security farce will disappear. Without passwords, we can eliminate many of the common security threats out there including phishing, man-in-the-middle attacks and general abuse of stolen credentials. That’s because using a system like this, there wouldn’t be anything to steal. The authentication token would only last as long as it takes to authenticate the user and no more and would require a specific device to authenticate.

The WebAuthn specification offers several examples of how this could work. In one example, you are working on a laptop and you access a website that requires you to log in. Instead of a user name and password, you get a prompt to check your phone. You tap the prompt on your phone and you are logged in without the need for entering anything.

Steve Wilson, an analyst at Constellation Research who watches the identity market says this is a big deal. “It will accelerate the adoption of modern non-password authentication. It will make biometrics and high security personal authenticators like the Yubikey easier to deploy across platforms, and more consistent for customers to use.”

Wilson says this capability has broad implications. “Web developers will be able to use standard APIs to call up FIDO capabilities. A web site say for a bank or a health service will be able to register clients within their existing customer pages, producing clean in-browser sign-up experiences. A website will be able to check if a user has a FIDO authenticator and request it, for a seamless logon.”

WebAuthn is not quite ready for final release just yet, but it has reached the “Candidate Recommendation (CR) stage, which means it’s being recommended to the standards bodies for final approval.

No security method is fool-proof, of course, and it probably won’t take long for someone to find a hole in this approach too, but at the very least it’s a step in the right direction. It is long past time that we come up with a new password-free authentication technique and WebAuthn just might be the answer to the long-standing problem of passwords.