Passwords are as poor as they are incredibly prevalent. The death of passwords has been predicted many times over the years, for example by some guy called Bill Gates way back in 2004. Clearly, predictions are a risky game, but recent developments suggest that we may, actually, honestly, finally be about to see the death of passwords—they shall certainly not be missed, if so. In this article, we will look at the newly-minted WebAuthn standard for Web authentication, and what it may mean for authentication.
WebAuthn is a recently-finalised official Web standard devised by the World Wide Web Consortium (W3C) and the Fast ID Online (FIDO) Alliance. Web standards are the technical specifications of how various aspects of the online experience should work, and the W3C are the primary body responsible for developing and promulgating them. Having been announced on March 4th, WebAuthn is already supported by Edge, Firefox, Chrome, Opera and Android Browser.
The goal of WebAuthn is to encourage ‘Web services and apps…to give their users the option to log in more easily via biometrics, mobile devices and/or FIDO security keys, and with much higher security over passwords alone’. One Web services that have enabled WebAuthn support, the user will be able to authenticate themselves using one of those means rather than using more traditional means.
This has the advantage of providing unique login credentials for each service, meaning ‘they cannot be used to track users across sites’ whilst also stopping credential stuffing and password spraying attacks in their tracks. Additionally, as WebAuthn requires no credentials to ever be transferred to a Web service’s servers, it ‘eliminates the risks of phishing, all forms of password theft and replay attacks’.
However, all is not perfect. Dropbox, an early WebAuthn adopter, retains the use of passwords, citing the fact that ‘there are still many security and usability factors to consider in these scenarios before replacing passwords entirely’. One usability consideration will be that of users who insist on using browsers that do not support WebAuthn. Currently almost 67% of browsers in use do, and this proportion will rise with time, but there will always be holdouts—viewport units, introduced in 2012, are still only supported by 92% of users’ browsers—and few businesses are likely to want to sacrifice those users’ custom in the name of security. Plus, as Thomas Claburn points out in The Register, ‘you’ll [now] get to worry about losing your physical hardware key rather than losing the secrecy protecting your passwords through a poorly secured server.’
Security concerns must also be taken into account. Whilst something you know is difficult for an attacker to discover or to compel you to reveal, something you have (like an authentication keyfob) is an easier target. The use of a centralised store of authentication, whilst it has advantages over decentralised, per-service storage, comes with tradeoffs. It will make a particularly attractive target to attackers, and a lucrative payout if they are successful.
Ultimately, time will tell whether WebAuthn is the final nail in passwords’ coffin or whether, in 15 years, those suggesting such will look as optimistic as Mr Gates did in 2004.