The other day the W3C announced a new standard for logging in called WebAuthn.  It’s already supported by Firefox and will be supported by Chrome and Microsoft’s Edge directly.  It’s likely Apple will follow suit with Safari as they are a member of the working group that ( along with the W3C and FIDO ) came up with WebAuthn.

WebAuthn is WhatsUp

WEbAuthn is an attempt to “bring simpler yet stronger web authentication to users around the world.”   What that means, in practical terms, is that when fully implemented WebAuthn will allow users to login in to websites with biometrics and USB tokens instead of passwords.   WEbAuthn works on a system called “Zero-knowledge proof”.   Zero-Knowledge proof is a method by which one party (the prover Peggy) can prove to another party (the verifier Victor) that she knows a value x, without conveying any information apart from the fact that she knows the value x.  This means the authentication is not based on a single simple string.

It will also allow us to forget all about complex password schemes for dozens of websites we log in to.  Just pop in the USB drive that you have  authenticated previously, and you are logged in.   This helps alleviate not only phishing but Man in the Middle attacks,stolen credentials, or replay attacks.   For the more security conscious bio-metric based logins eliminate the problem of your usb drive being lost or stolen.

Sam Srinivas, Product Management Director, Google Cloud Security says:

“Google Chrome is dedicated to building a better web, and allowing developers to interact with secure keystores in a structured way helps us continue this mission. As a founding member of the U2F and FIDO2 working groups within FIDO, we’re excited for the launch of these standards and look forward to our continued collaboration.”

Dave Bossio, Group Program Manager, Operating System Security, Microsoft says:

“Providing a password alternative that works across devices, apps, browsers, and websites delivers on our commitment to a future without passwords. We are excited to announce that we will add support for WebAuthn API, currently in the approval process stage, and W3C, in Microsoft Edge thanks to our work with the FIDO Alliance.

Why Password Authentication Sucks

Password authentication to validate users is better than nothing – but far from ideal.   All you have to do is read about how Equifax exposed millions of passwords to see just how insecure the whole scheme is.   If your business, customer, or personal financial data is secured by password only I highly recommend investigating Two-Factor Authentication ( 2FA ).   Sites from Google, to TurboTax, to OkCupid support 2FA right now.

For sites that you do still have to use simple passwords to login to please, for goodness sake, don’t use the same password for every site.  If your password is compromised once, hackers can potentially use it to get into other accounts.  Additionally if you do not use a secure password you can assume it is just a matter of time before you are compromised.  You can find out if you have been compromised here.

 

Is WebAuthn the Future?

Only time will tell whether or not WebAuthn is the answer to the problem of creating and remembering multiple usernames and passwords and the security issues associated with them.  Right now it looks like the most promising option for a security standard with simpler, stronger authentication.  I’ll be testing it out as soon as possible, watch this space for a follow up within a couple of weeks.

 


8 Comments

Benjiman Mitchell · April 17, 2018 at 12:04 am

I do NOT WANT TO TAKE A FINGERPRINT to log on to FACEBOOK!

    tripkendall · April 17, 2018 at 12:08 am

    You mad bro? Bio-metrics will not be mandatory with WebAuthn, only one of multiple options.

Tara J · April 17, 2018 at 9:48 pm

If would be so nice to not have to (try!) and remember all my logins and passwords… I have a password manager (LastPass) but it is not a foolproof solution.

    tripkendall · April 18, 2018 at 4:35 pm

    That’s the idea for sure. The added security is more important in my world, but I could not agree with you more.

Mike Jenkins · April 22, 2018 at 8:13 pm

A revised standard for information security has been issued

Read more: http://www.digitaljournal.com/tech-and-science/technology/new-international-standard-for-information-security/article/520389#ixzz5DQynBq3r

M3M0RY 0V3RR1D3 · April 28, 2018 at 4:50 pm

Big tech companies have been using this sort of sign in for quite some time. It’s good to see it coming to the masses in the U.S.

The big HOWEVER is that this should only ever be ONE option for signing in. I am not for the Eastern European model where you HAVE to login with your government issued smart card.

    tripkendall · April 28, 2018 at 5:01 pm

    Hey… Got it – Memory Override, that is a very good point… If you can only login with your government issued smart card I would be totally against it. Food for thought.

      M3M0RY 0V3RR1D3 · April 28, 2018 at 5:14 pm

      Right, it doesn’t really matter if you can’t comment on facebook with out your government id card, but if you can’t log into your bank account with out it?

Leave a Reply

Your email address will not be published. Required fields are marked *