In brief: Almost a year after browsers began implementing it, the W3C has announced the finalization of the WebAuthn specification. The new authentication procedure promises to make websites more secure and easy to log into by replacing passwords with biometrics or security keys. However, web service providers will have to adopt the standard before users can take advantage of it.
Back in April 2018, we reported that Firefox began supporting a new password-free authentication standard called WebAuthn. Other major browsers followed suit with Chrome, Edge, and then Safari all testing and implementing it before the end of 2018. The authentication standard has now been declared finalized and official by the World Wide Web Consortium (W3C) and the FIDO Alliance.
The Web Authentication or WebAuthn specification allows users to log into websites without having to remember passwords. Instead, users can use biometric data such as a fingerprint, USB security keys, or mobile devices like smartphones or watches. The W3C claims it will make websites more secure.
“This advancement is a major step forward in making the web more secure— and usable—for users around the world,” said the W3C in its press release.
The consortium urges websites and services to begin implementing the functionality to create a more secure environment and to allow their users the convenience of not having to enter credentials.
“Now is the time for web services and businesses to adopt WebAuthn to move beyond vulnerable passwords and help web users improve the security of their online experiences,” said W3C CEO Jeff Jaffe. “W3C's Recommendation establishes web-wide interoperability guidance, setting consistent expectations for web users and the sites they visit. W3C is working to implement this best practice on its own site.”
There is little debate that biometrics are more secure than passwords. Virtually all smartphone manufacturers have made biometrics the default authentication method. We report regularly of passwords and other user information that have been stolen or leaked. Despite repeated warnings, some users still use weak passwords like “password” or “123456.”
The W3C feels that WebAuthn will eliminate many problems associated with traditional authentication methods.
“It's common knowledge that passwords have outlived their efficacy. Not only are stolen, weak or default passwords behind 81 percent of data breaches, they are a drain of time and resources. While traditional multi-factor authentication (MFA) solutions like SMS one-time codes add another layer of security, they are still vulnerable to phishing attacks, aren’t simple to use and suffer from low opt-in rates. With WebAuthn, the global technology community has come together to provide a shared solution to the shared password problem.”
WebAuthn also allows workers to get to work faster. According to a study by Yubico published in January, employees spend an average of 10.9 hours per year either entering credentials or changing them. This time works out to an average annual cost of $5.2 million for companies.
Don’t expect to start using the standard immediately though. Websites will still have to incorporate it into their authentication protocols. With no pressing urgency like a specific security threat, many sites will likely take their time adopting the standard.