Odds are that you login to dozens of websites and online services on a regular basis… and odds are that you already know it’s a bad idea to use the same password for your bank, internet retail sites, your social media accounts, online gaming platforms, and media streaming services. But creating and remember passwords for all of those can be a pain… and not doing so can be insecure.
In fact, even if you do use unique passwords for everything (a password manager helps), you could easily fall prey to phishing attacks or other techniques designed to get you to reveal your password, which is only partially alleviated by using multi-factor authentication.
But a new web standard called WebAuthn could help improve security across the web by allowing you to login to many services without entering a password.
Here’s the idea: WebAuthn will be built into web browsers including Firefox, Chrome, and Edge by next month. It allows you to login to a website using a fingerprint, facial recognition, PINs, or a secondary device like a FIDO U2F security keys that you carry on a keychain and connect to a PC using a USB port, Bluetooth or NFC when you want to login to apps and services.
Without that key, fingerprint, or other identifier, you can’t login. But with it, you don’t need to enter a username or password.
Does this meant hat you can stop worrying about passwords next month? Probably not. It’ll be up to websites, app developers, and others to actually add support for WebAuthn to their services.
But with the new API set to become a web standard soon, it’ll be a lot easier for developers to support biometric logins or use of physical security keys. Right now there are some big services including Google, Facebook, Dropbox, and GitHub that support U2F security keys. But WebAuthn could dramatically increase the number of services that offer those kinds of security features by making it easier for smaller developers to jump on board.
Fewer passwords to remember is a good thing. But it’ll probably be a while before you have no passwords to remember. So it’s still probably a good idea to hang onto your password manager for now (or starting using one if you haven’t already).