Web browsers have taken a key step towards reducing the need for passwords and the security issues they bring. Google Chrome, Mozilla Firefox, and Microsoft Edge have agreed to support a new Web Authentication API that should reduce the need of password for logins and eventually protect against phishing. Internet standards organisations W3C and FIDO Alliance have unveiled a new specification that let browsers and websites to replace passwords with biometric encryption methods.
With the specification called WebAuthn, Web developers will be able to integrate fingerprint readers and face scanners into their websites. The method relies on public-key cryptography and ensures that each site a user signs up to has its own key pairs, solving the common issue of password reuse. When the API is available, you could visit a site on a PC, hit the login button, and then receive a code on a smartphone asking you to register.
The new feature is expected to be available in the upcoming versions of Firefox, Chrome, and Edge slated for release in the next few months. It has reached the 'Candidate Recommendation (CR) stage', meaning it is being recommended to the standards bodies for final approval.
Enterprises and online service providers can now protect themselves and their users from the risks associated with passwords - including phishing, man-in-the-middle attacks and the abuse of stolen credentials, FIDO Alliance claims. They will be able to deploy standards-based strong authentication that works through the browser or via an external authenticator.
"After years of increasingly severe data breaches and password credential theft, now is the time for service providers to end their dependency on vulnerable passwords and one-time-passcodes and adopt phishing-resistant FIDO Authentication for all websites and applications," said Brett McDowell, executive director of the FIDO Alliance. Meanwhile, W3C CEO Jeff Jaffe said, "WebAuthn will change the way that people access the Web."