Browsers begin to support new web standard for password-free authentication

[Greg S]

Remembering increasingly complex passwords is difficult and writing them down is not always the best idea. Enter the WebAuthn standard, built by W3C and FIDO Alliance, to eliminate the need for password-based authentication.

After more than two years of development, major browsers are bringing support for WebAuthn. Mozilla Firefox now supports the standard. Google Chrome and Microsoft Edge will be adding support over the next few months. There has been no official commitment from Apple to implement the standard in Safari, though support is expected since Apple is a part of the W3C group working on the standard.

Biometric credentials and hardware tokens will be able to completely replace or supplant traditional passwords. Facial recognition, fingerprint readers, iris scanning, and voice analysis could all be used to verify the identity of a user.

One of the key considerations in promoting widespread adoption is making WebAuthn easy for small businesses and websites to implement. Readily available libraries will help make it easy for anyone to move away from password-based login forms and switch to biometric or hardware-based authentication methods.

During the authentication process, there is no single validation string that will grant access to a user. A zero-knowledge proof allows a website to identify that a user is the proper person without transmitting any information that would be harmful if intercepted. Firefox's implementation below outlines the process.

Phishing is still a problem for organizations that hold sensitive data. The use of the FIDO standard almost completely eliminates the threat of spear-phishing attacks. Notice that no personal or sensitive information is transmitted during the authentication process.

Without the need to share any information with websites that could be used for malicious purposes, there is no way for conventional phishing attacks to work. However, theft of hardware keys can still pose a threat for those without strong alternative methods of two-factor authentication.

Permalink to story.

https://www.techspot.com/news/74092-browsers-begin-support-new-web-standard-password-free.html

 

[Uncle Al]

My only question is how long it will take for the hackers to create a work around for this new security system. We've seen over the years that NONE of these are 100% safe, but any improvement is certainly welcome!

 

[DelJo63]

Authentication without access or the sending of user data is a G I A N T step forward.

 

[wiyosaya]

So, if you log into a web site from different computers, then that web site essentially creates a different user account for each different computer unless each computer has a fingerprint reader or unless you buy a fingerprint reader and carry it with you?

Personally, I really do not see this working well.

Many sites, despite the fact that the guy who originated the password rules says that the ones originated in the 80's/90's were crap, still follow those rules and do not, for instance let you enter a 100-character string that is an easy to remember phrase that could be used in multiple places since the complexity of such a phrase is very high and would take literally trillions of years to crack if it is encrypted properly.

If you are using a finger print, then the site you are using that with has to store that data somewhere and it could also be compromised - perhaps more easily than a password depending on its bit-depth.

To me, this sounds as complex and as likely to fail as the now known garbage rules for passwords that are nearly impossible to remember. I use a 50+ character phrase on multiple web sites for a password. By statistical probability, it is unlikely to be cracked unless there is some basic flaw in the encryption of the web site and hackers get that data.

Sometimes, "brains" make things far too complex, IMO.

 

[ShagnWagn]

So, they are wanting to track us by our fingerprints? Just simply compare and/or upload these to the government database and they can track who is searching for what. Next they will identify us by fingerprint and upload our retina scans and add that to the database. Great... another step forward in privacy invasion and Big Brother putting their nose on us.

Next they will be making us use pinpricks to use our DNA for identification... Then eventually the sign of the devil as foretold.

 

[GreenNova343]

So...let me get this straight...instead of typing passwords into my browser to access a site out on the Internet, I will instead have biometric data validated only on my local PC.

So how is the website/app I'm accessing going to know that the biometric data was validated without some data being transmitted over the Internet?

And even if nothing more than an, "Everything's OK!" message is being sent to the online server, what's to stop a malicious hacker from fooling the online site with a false positive authentication signal?

(cue Han Solo voice): "We're fine, everything's fine...how are you?"

(Yeah, that worked out real well for Solo)...

 

[Danny101]

I for one don't want every entity in the world to have my fingerprint. I don't use this technology on my phone for that reason. If I at anytime can't change my password, email, or phone number, then I'm not using it.

 

[Mc128k]

So, they are wanting to track us by our fingerprints? Just simply compare and/or upload these to the government database and they can track who is searching for what. Next they will identify us by fingerprint and upload our retina scans and add that to the database. Great... another step forward in privacy invasion and Big Brother putting their nose on us.

Next they will be making us use pinpricks to use our DNA for identification... Then eventually the sign of the devil as foretold.

This is a useless claim, as any crypto system can decouple data from identity, so they won't transmit the fingerprint, but instead use a strong trust system to exchange keys. The problem here is that you can't change your fingerprints if somebody steals them, and it's perfectly feasible. They can already track us this way, using fingerprints is the same as using the password, only it's less secure.

 

[Stephen304]

So...let me get this straight...instead of typing passwords into my browser to access a site out on the Internet, I will instead have biometric data validated only on my local PC.

So how is the website/app I'm accessing going to know that the biometric data was validated without some data being transmitted over the Internet?

And even if nothing more than an, "Everything's OK!" message is being sent to the online server, what's to stop a malicious hacker from fooling the online site with a false positive authentication signal?

(cue Han Solo voice): "We're fine, everything's fine...how are you?"

(Yeah, that worked out real well for Solo)...

If you read the spec, it sends a cryptographic proof that you were validated that can't be replayed and doesn't give any information (such as the private key) to any attacker listening.

So, they are wanting to track us by our fingerprints? Just simply compare and/or upload these to the government database and they can track who is searching for what. Next they will identify us by fingerprint and upload our retina scans and add that to the database. Great... another step forward in privacy invasion and Big Brother putting their nose on us.

Next they will be making us use pinpricks to use our DNA for identification... Then eventually the sign of the devil as foretold.

Fingerprint is just one method of securing the private key stored on your device. You can store it decrypted too if you are sure your device won't be compromised, or you can even secure the key with a password or pin, which may sound just as secure as before, but remember that an attacker not only would need your fingerprint / password / pin with this system, but they would also need to compromise one of your devices which was holding your cryptographic identity as well. So it would be significantly harder to compromise your identity with this system.

So, if you log into a web site from different computers, then that web site essentially creates a different user account for each different computer unless each computer has a fingerprint reader or unless you buy a fingerprint reader and carry it with you?

Personally, I really do not see this working well.

Many sites, despite the fact that the guy who originated the password rules says that the ones originated in the 80's/90's were crap, still follow those rules and do not, for instance let you enter a 100-character string that is an easy to remember phrase that could be used in multiple places since the complexity of such a phrase is very high and would take literally trillions of years to crack if it is encrypted properly.

If you are using a finger print, then the site you are using that with has to store that data somewhere and it could also be compromised - perhaps more easily than a password depending on its bit-depth.

To me, this sounds as complex and as likely to fail as the now known garbage rules for passwords that are nearly impossible to remember. I use a 50+ character phrase on multiple web sites for a password. By statistical probability, it is unlikely to be cracked unless there is some basic flaw in the encryption of the web site and hackers get that data.

Sometimes, "brains" make things far too complex, IMO.

Your fingerprint isn't what unlocks your user account, it's a cryptographic key that you may additionally and optionally secure with your fingerprint, which would be stored and verified locally and not sent to any server. They key here is that this system is based on public / private cryptography and, if implemented properly, would be incredibly difficult to compromise.

 

[wiyosaya]

If you read the spec, it sends a cryptographic proof that you were validated that can't be replayed and doesn't give any information (such as the private key) to any attacker listening.

Fingerprint is just one method of securing the private key stored on your device. You can store it decrypted too if you are sure your device won't be compromised, or you can even secure the key with a password or pin, which may sound just as secure as before, but remember that an attacker not only would need your fingerprint / password / pin with this system, but they would also need to compromise one of your devices which was holding your cryptographic identity as well. So it would be significantly harder to compromise your identity with this system.

Your fingerprint isn't what unlocks your user account, it's a cryptographic key that you may additionally and optionally secure with your fingerprint, which would be stored and verified locally and not sent to any server. They key here is that this system is based on public / private cryptography and, if implemented properly, would be incredibly difficult to compromise.

Thanks for the informative post.

This key still has to be unique to you, and you have to have it on every computer you use; otherwise, accessing your account from another computer is impossible. That was my original point.

If you get rid of username password combos entirely, there is no other way for validation to take place unless that key is on every computer you use. That is the potential hole in this scenario as I see it, and there are some out there that are still susceptible to socially engineered phishing attacks - especially the uninformed, non-technical user.

 

[James00007]

Main problem = 99.9% of people don't own any kind of fingerprint reading device and even if implemented in new tech it would take decades to be used by everyone. I have an old Microsoft keyboard that has one and they don't support it anymore. No new drivers, no Windows 10 drivers and it was only implemented as an alternative rather than a replacement to a password. Other methods of authenticating might work like voice but fingerprint reading has tried to catch on before and failed and there is no reason this time will be any different.

 

[GreenNova343]

If you read the spec, it sends a cryptographic proof that you were validated that can't be replayed and doesn't give any information (such as the private key) to any attacker listening.

It has to give something to the server. If all the authentication message is sending is, "Hey, someone verified they were who they say they were", it does the server no good because the server doesn't know who the "someone" is.. Unless we're talking about a site with only 1 possible user that is allowed to log into it, there has to be some information about the end-user that is included in the information sent to the server, information that is static & unchanging (I.e. your username, your actual name, etc.).

As for the 'specification'...note that the use of this particular API will require the browser script to scan & locate the authenticator app on your PC...a level of access that for security reasons most reasonable users will have turned off in their browser. Now, maybe you'll be willing to take the time to add a single exception for this script...except it won't be a single exception, because you'd need an exception for every website running their version of the script.

Nor does this necessarily prevent malicious sites from taking advantage of this. You don't think that malware & fake site coders can't come up with a script that will look like this script, but in actually is not only getting the information used in the authenticator application but also determining which authenticator is used...so that they can then use their own PCs & pretend to be you to gain access?

From the description in the API, this is nothing more than a variation on 2-factor authorization...but instead of having to respond on your phone or using a unique USB fob, it's dependent on a 2nd application stored on your PC.