Soon, it will be much easier to log into more websites using a hardware key plugged into your laptop, a dedicated app, or even the fingerprint scanner on your phone. On Tuesday, a spread of organizations and businesses, including top browser vendors such as Microsoft and Google, announced a new standards milestone that will streamline the process for web developers to add extra login methods to their sites, potentially keeping consumers’ accounts and data more secure.
“For users, this will be a natural transition. People everywhere are already using their fingers and faces to ‘unlock’ their mobile phones and PCs, so this will be natural to them—and more convenient,” Brett McDowell, executive director at the FIDO Alliance, one of the organizations involved in setting up the standard, told Motherboard in an email. “What they use today to ‘unlock’ will soon allow them to ‘login’ to all their favorite websites and a growing number of native apps that already includes Bank of America, PayPal, eBay and Aetna,” he added.
Passwords continue to be one of the weaker points in online security. A hacker may phish a target’s password and log into their account, or take passwords from one data breach and use them to break into accounts on another site. The login standard, called Web Authentication (WebAuthn), will let potentially any website or online service use apps, security keys, or biometrics as a login method instead of a password, or use those alternative approaches as a second method of verification.
“What they use today to ‘unlock’ will soon allow them to ‘login’ to all their favorite websites."
The key here is making it easy and open for developers to use, and for it to work across all different brands of browsers. The functionality is already available in Mozilla’s Firefox, and will be rolled out to Microsoft’s Edge and Google Chrome in the new few months. Opera has committed to supporting WebAuthn as well.
“We can't share any specifics on timelines at this point. Chrome supports the FIDO and WebAuthn initiatives and we hope to see support later in 2018,” Christiaan Brand, product manager, identity and security at Google told Motherboard in an email.
Microsoft said in a statement that it is “fully committed to add support for WebAuthn in Edge. You can join the Windows Insider program to get early access and follow the Windows Insider Program blog for more information.”
As for Apple, McDowell mentioned that the team behind Webkit, which is the browser engine used by Safari, Mail, and the App Store, recently joined a related working group, “which bodes well for seeing this capability coming to Safari in the future.” Native apps on iOS do already have the ability to use authentication tools from FIDO-certified vendors, he added.
Got a tip? You can contact this reporter securely on Signal on +44 20 8133 5190, OTR chat on email@example.com, or email firstname.lastname@example.org.
“It's pretty easy since there are already open source implementations and commercial servers available,” Google’s Brand added.
But there is another part of the puzzle—consumers, the people actually logging into websites, need some sort of device or application to then log in with.
With that in mind, “later this month Google and Microsoft are each demonstrating FIDO2 ‘authenticators’ coming to their respective ecosystems. All Windows 10 devices will have this ability through their Windows Hello authentication suite. Most versions of Android may soon have the ability as well through the Android Fingerprint API,” McDowell wrote.
Of course, as with anything and everything cybersecurity, researchers will likely still poke around WebAuthn looking for any flaws, oversights or vulnerabilities. Researchers recently found an issue with a feature in Chrome called WebUSB, which could allow a hacker to phish codes generated by hardware tokens used to log into services.
Getting to this milestone has been years in the making. Wendy Seltzer, strategy lead at the World Wide Web Consortium (W3C), told Motherboard in an email “it has taken time to work through the details of the Web API, but the result will be a specification that is implemented across the Web platform and available through a variety of technologies (phones, USB security keys, and other hardware and software).”
Google’s Brand told Motherboard “This is more than three years of work.”