Death of the password?
New web standard trades passcodes for biometrics
The death of the password could be upon us.
A new security standard recently endorsed by the World Wide Web Consortium has experts excited about the prospect of making logins “unphishable” and ending the vulnerabilities that currently exist because so many users have poor “password hygiene” and reuse the same one across countless websites.
The Web Authentication (WebAuthn) standard developed collaboratively by members of the FIDO Alliance - which includes the likes of Amazon, Facebook, Google, Intel, Lenovo, Microsoft, PayPal, Samsung and Visa - allows web surfers to use biometrics such as fingerprints or facial scans instead of inputting a password.
Plugging a compatible USB device into a computer can also be used to bypass password screens on participating websites.
“I don’t think the password will be killed tomorrow, or even within the next three to six months, or even year,” says Joni Brennan, president of the non-profit Digital ID and Authentication Council of Canada.
“But there’s a shift and a journey that needs to happen and to finally move past having so many passwords and ideally not having passwords at some point - this I think is a really key step.”
Mozilla’s Firefox browser has already implemented the technology while Google and Microsoft have also committed to updating their browsers.
Users who adopt the new standard will basically be upgrading to a level of security used for protecting state secrets, says Vancouver native John Bradley, standards architect for the security hardware company Yubico, a board member of the FIDO Alliance.
“Essentially you’re moving people from being able to do remote attacks to phish you to actually having to break into your house and steal your phone ... and extract your pin from you at gunpoint. It significantly raises the bar,” says Bradley, who predicts some popular websites may start offering the new type of login within a couple of months.
He says security experts call the login method “unphishable” because there’s no indication yet that hackers could compromise it.