What’s All the Fuss About? Webauthn
Good riddance passwords, it’s been nice knowing you
What is it?
New web technology designed to replace typing a password as the main method of logging into your accounts, which is often seen as the weakest link in online security. If widely implemented, it would mean you could safely forget all those half-remembered usernames and passwords. Begone, ‘Richardb1946’!*
How is it safer?
Because your login information is never sent to the service you’re signing into. Instead, Webauthn tells the service, such as a website or browser extension, that your identity has been verified. This information is used only once, thus eliminating the risk of using the same password across multiple sites. No data is sent to a server, so there’s nothing for a hacker to steal. Sorry, hackers!
So what would replace passwords?
There are two options: sign in using a part of your body, or a device in your possession (a choice often defined as something you are or something you own). The one that sounds closest to science fiction is biometrics, which is identifying people using their unique physical features.
Scanners that recognise your fingerprint and face are already built into many phones, while Windows Hello ( www. snipca.com/27490) also adds your iris to the sign-in options (as Microsoft says, “you are the password”). Some prototype devices even recognise the unique patten of people’s veins in their wrist.
In the other technique, known as two-factor authentication, you’ll receive an alert or a code on a device, such as a USB key or phone. Tapping this logs you into the service, no password required.
Are these methods completely hack-proof?
It’s hard to say for certain that any form of security is totally safe. Hackers will always look for flaws, as will security researchers keen to make a name for themselves. In December, German security firm SYSS showed how to sign into Windows Hello using just a photo of the verified user, rather than their actual face. More recently, researchers demonstrated how to exploit a feature in Chrome to create a phishing site that bypasses the security used by the Yubikey Neo USB key (pictured left).
But these lapses aside, both forms of security are safer than using the same password across the internet.
Who developed Webauthn?
The FIDO Alliance - not, as you may think, a group of militant poodles, but an organisation of over 260 tech companies which has spent the past few years simplifying the security behind signing into services online, making it feel more natural. Members include Apple, Google, Microsoft, Intel, Lenovo and Paypal. They worked with the World Wide Web Consortium (W3C), founded in 1994 by Sir Tim Berners-lee, which agrees internet standards and guidelines to “ensure long-term growth for the web”. Their joint dream is to create an “interoperable ecosystem”.
What’s that in plain English?
It means making Webauthn work seamlessly across all types of software and devices.
And is that possible?
Hopefully, because forthcoming versions of Chrome, Firefox and Edge will support it by default. Websites will welcome this because users will find it easier to log into their accounts. Webauthn is now in the ‘candidate recommendation’ stage, which is the penultimate step before it becomes an approved web standard. We’ll explain how to use it in more detail when it launches, probably within the next few months.
It eliminates the risk of using the same password across multiple sites