RSA At 2004's RSA Conference, then Microsoft chairman Bill Gates predicted the death of the password because passwords have problems and people are bad at managing them. And fifteen years on, as RSA USA 2019 gets underway in San Francisco this week, we still have passwords.
But the possibility that internet users may be able to log into websites without typing a password or prompting a password management app to fill in the blanks has become a bit more plausible, with the standardization of the Web Authentication specification.
Known as WebAuthn for those who find six syllables a bit taxing to say aloud, the newly blessed specification is already supported in Android, Apple Safari (preview), Google Chrome, Microsoft Edge, Mozilla Firefox, and Windows 10.
The spec will allow people to authenticate themselves and log into internet accounts using a preferred device, through cryptographic keys derived from biometrics, mobile hardware, and/or FIDO2-compliant security keys.
"Now is the time for web services and businesses to adopt WebAuthn to move beyond vulnerable passwords and help web users improve the security of their online experiences,” said Jeff Jaffe, CEO of web standards group W3C, in a statement on Monday.
WebAuthn doesn't really get rid of passwords. Rather, it eliminates the security risk of storing even hashed user passwords on servers – phishing, password theft, and reply attacks – and shifts the focus from typed credentials to hardware-based cryptographic login credentials and some form of authentication gesture or code.
Looking ahead, you'll get to worry about losing your physical hardware key rather than losing the secrecy protecting your passwords through a poorly secured server.
No password? No worries! Two new standards aim to make logins an API experienceREAD MORE
The technology should allow websites to support low-friction authentication from visitors who have FIDO2 credentials associated with their desktop or mobile device.
In such a scenario, a user with a laptop or desktop computer and a Bluetooth-paired mobile phone might navigate a website's sign-in page and receive a prompt to authenticate via phone. The user would then take some authorization action like pressing the phone's fingerprint reader, if available, or entering a PIN to be logged in on the applicable computer.
In another scenario, a user with a laptop or desktop computer may rely on a dedicated FIDO2 fob in lieu of a phone-based authenticator. But the authentication process will probably still require pressing a button on the fob or entering a PIN. That's because automatic authentication could go wrong – you wouldn't want a USB stick to provide access to your bank account without some challenge.
At Dropbox, which implemented WebAuthn last year, the technology provides two-step verification rather than one-step access. The company said it kept passwords as part of the authentication process because there are a variety of security and usability factors that make it premature to get rid of them entirely.
Microsoft meanwhile has done its best to fulfill its co-founder's password death wish, adding support for FIDO2 hardware authentication in its Windows 10 October 2018 update last year. The company now allows those using Windows 10 with Microsoft Edge to log in to their Microsoft account without entering a password. ®