Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

You. Shall. Not. Pass... word: Soon, you may be logging into websites using just your phone, face, fingerprint or token

Just don't lose your hardware keys

RSA At 2004's RSA Conference, then Microsoft chairman Bill Gates predicted the death of the password because passwords have problems and people are bad at managing them. And fifteen years on, as RSA USA 2019 gets underway in San Francisco this week, we still have passwords.

But the possibility that internet users may be able to log into websites without typing a password or prompting a password management app to fill in the blanks has become a bit more plausible, with the standardization of the Web Authentication specification.

Known as WebAuthn for those who find six syllables a bit taxing to say aloud, the newly blessed specification is already supported in Android, Apple Safari (preview), Google Chrome, Microsoft Edge, Mozilla Firefox, and Windows 10.

The spec will allow people to authenticate themselves and log into internet accounts using a preferred device, through cryptographic keys derived from biometrics, mobile hardware, and/or FIDO2-compliant security keys.

"Now is the time for web services and businesses to adopt WebAuthn to move beyond vulnerable passwords and help web users improve the security of their online experiences,” said Jeff Jaffe, CEO of web standards group W3C, in a statement on Monday.

WebAuthn doesn't really get rid of passwords. Rather, it eliminates the security risk of storing even hashed user passwords on servers – phishing, password theft, and reply attacks – and shifts the focus from typed credentials to hardware-based cryptographic login credentials and some form of authentication gesture or code.

Looking ahead, you'll get to worry about losing your physical hardware key rather than losing the secrecy protecting your passwords through a poorly secured server.

passcode

No password? No worries! Two new standards aim to make logins an API experience

READ MORE

The technology should allow websites to support low-friction authentication from visitors who have FIDO2 credentials associated with their desktop or mobile device.

In such a scenario, a user with a laptop or desktop computer and a Bluetooth-paired mobile phone might navigate a website's sign-in page and receive a prompt to authenticate via phone. The user would then take some authorization action like pressing the phone's fingerprint reader, if available, or entering a PIN to be logged in on the applicable computer.

In another scenario, a user with a laptop or desktop computer may rely on a dedicated FIDO2 fob in lieu of a phone-based authenticator. But the authentication process will probably still require pressing a button on the fob or entering a PIN. That's because automatic authentication could go wrong – you wouldn't want a USB stick to provide access to your bank account without some challenge.

At Dropbox, which implemented WebAuthn last year, the technology provides two-step verification rather than one-step access. The company said it kept passwords as part of the authentication process because there are a variety of security and usability factors that make it premature to get rid of them entirely.

Microsoft meanwhile has done its best to fulfill its co-founder's password death wish, adding support for FIDO2 hardware authentication in its Windows 10 October 2018 update last year. The company now allows those using Windows 10 with Microsoft Edge to log in to their Microsoft account without entering a password. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like