What if you never had to remember or look up another password to an online account? And if the new method was more secure than even the most complicated password? While there’s no all-in-one fix for online security, WebAuthn, a new standard that won near-final approval last week, could signal the end of passwords and a more secure online experience.
With support from Google Chrome, Microsoft Edge and Mozilla Firefox, WebAuthn defines a standard web API — software that allows two applications to “talk” to each other — that can be built into browsers to provide a more secure method than a password to authenticate your identity before being allowed into an account.
“While there are many web security problems and we can't fix them all, relying on passwords is one of the weakest links,” Jeff Jaffe, CEO of W3C, a consortium that creates web standards for the industry, said in a press release. “With WebAuthn's multifactor solutions, we are eliminating this weak link. WebAuthn will change the way that people access the Web."
There are two primary ways to forego typing in passwords, both of which are compatible with WebAuthn. You’re probably familiar with the first one that involves biometrics, including fingerprint readers, face ID and iris scans. If you have an iPhone 5S or later model, you can set up TouchID, which allows you to touch the start button to open your phone, purchase items from the App Store and access compatible apps like Chase Mobile and Amazon. The increase in security is measurable.
According to Apple, Touch ID will misread a finger one in 50,000 times, a much lower probability than the one in 10,000 chance for guessing a four-digit password. Facial scan was introduced with the iPhone X and a similar technology was available on Samsung Galaxy S8 and S8+, along with iris scan. With its new Galaxy 9, Samsung combined the facial and iris scan technologies into a single feature that first scans your face, and then scans your irises only if the facial scan fails to identify you.
Biometric security has been added to computers too. Last year, Microsoft launched Hello, a biometric security feature that is available on a number of PCs running Windows 10. Hello accommodates fingerprint and facial recognition. Windows Hello logs you into your Windows devices in less than two seconds — three times faster than a password, according to Microsoft.
But you don’t have to spring for a new computer to get the extra security. Instead, you can buy the BIO-key Sidetouch Fingerprint Reader, compatible with any PCs running Windows 8.1 or 10. The Sidetouch looks like a stubby flash drive and fits into your computer’s USB portal. For around $40, it’s a fair price to pay for the extra security.
Regardless of how you access biometric security, your personal data must never leave the device for the system to be WebAuthn-compliant. By storing your scans in the device, you avoid the risk of them being intercepted enroute to the cloud or stolen in a data breach from a company’s servers.
The second WebAuthn-approved method involves a different device called a security key that also looks like a small flash drive. Security keys use a combination of public and private keys, so that your key never leaves the device. Once set up, you plug the key into a USB port on your device and tap to authenticate your identity. These keys are widely available, starting at $20. Look for FIDO Certified to be sure that the product you buy is compliant with the new standard. (FIDO stands for Fast Identity Online. The FIDO Alliance is working with the W3C to certify compliant services and devices.)
For instance, the Thetis security key works with Windows 7, 8.1 and 10, as well as OS for Mac, and can be used to securely access Gmail, Facebook, Dropbox, SalesForce and GitHub. As more websites adopt the standard, this list will grow. Note that at this time, you must browse via Chrome.
While it’s clear that biometrics and other non-password security measures are not entirely new, the finalization of WebAuthn signals an industry consensus around phasing out passwords, a move that we should all embrace.
Leslie Meredith has designed international websites and now runs marketing for a global events company. She writes about personal technology. You can email her at email@example.com.