Odds are that you login to dozens of websites and online services on a regular basis… and odds are that you already know it’s a bad idea to use the same password for your bank, internet retail sites, your social media accounts, online gaming platforms, and media streaming services. But creating and remember passwords for all of those can be a pain… and not doing so can be insecure.

In fact, even if you do use unique passwords for everything (a password manager helps), you could easily fall prey to phishing attacks or other techniques designed to get you to reveal your password, which is only partially alleviated by using multi-factor authentication.

But a new web standard called WebAuthn could help improve security across the web by allowing you to login to many services without entering a password.

Yubico FIDO U2F Security Key

Here’s the idea: WebAuthn will be built into web browsers including Firefox, Chrome, and Edge by next month. It allows you to login to a website using a fingerprint, facial recognition, PINs, or a secondary device like a FIDO U2F security keys that you carry on a keychain and connect to a PC using a USB port, Bluetooth or NFC when you want to login to apps and services.

Without that key, fingerprint, or other identifier, you can’t login. But with it, you don’t need to enter a username or password.

Does this meant hat you can stop worrying about passwords next month? Probably not. It’ll be up to websites, app developers, and others to actually add support for WebAuthn to their services.

But with the new API set to become a web standard soon, it’ll be a lot easier for developers to support biometric logins or use of physical security keys. Right now there are some big services including Google, Facebook, Dropbox, and GitHub that support U2F security keys. But WebAuthn could dramatically increase the number of services that offer those kinds of security features by making it easier for smaller developers to jump on board.

Fewer passwords to remember is a good thing. But it’ll probably be a while before you have no passwords to remember. So it’s still probably a good idea to hang onto your password manager for now (or starting using one if you haven’t already).

 

Support Liliputing

Liliputing's primary sources of revenue are advertising and affiliate links (if you click the "Shop" button at the top of the page and buy something on Amazon, for example, we'll get a small commission).

But there are several ways you can support the site directly even if you're using an ad blocker* and hate online shopping.

Contribute to our Patreon campaign

or...

Contribute via PayPal

* If you are using an ad blocker like uBlock Origin and seeing a pop-up message at the bottom of the screen, we have a guide that may help you disable it.

7 replies on “New web standard could remove the need for remembering passwords… eventually”

  1. I’m looking forward to the day (in the distant future) when all my interactions with the digital world will be through my personal digital AI (avatar? butler?) who will unfailingly know who I am, and will maintain all my security credentials and know how much information (if any) it is allowed to pass on to other entities (companies or people) on the Internet.

    I don’t doubt we will get there eventually, though it could be a while…

  2. Just remember, if the authorities come knocking, they can compel you to supply your fingerprint, retina image, or USB key. Not so much with something you KNOW. Passwords are a pain in the but but are the most secure. Just make sure to use a good, long password.

    1. Worth remembering if you’re doing anything illegal or doing anything legal that might upset the local, state, or national authorities (like writing about police corruption, for example).

      If you are worried about a coming police state, however, such constitutional niceties are unlikely to make any difference, so unless you are involved in the aforementioned activities, you’re still better off doing something that makes better security easier to achieve, since the greatest threat to your private information will always be from hackers and thieves out to steal your information for financial gain.

      1. The courts have already decided that the police do not have to know the law. They overstep their authority all the time. You do not have to be doing anything illegal to want to protect your privacy. I do things that are politically unpopular but not illegal. Also, many people keep “special” photos of their partners on their devices. I personally don’t think this is very smart but it is done all the time. These “special” photos tend to get passed around law enforcement offices when devices get accessed. You could be cleared of any charges but still have your private information/photos end up out in the world.

    2. And cut off your finger! Though with typical latex, rubber you can make a copy. See “The Mystery of the Red Thumb Mark”

    3. Somehow I think that will will prove to be difficuilt to use. Somehere there is a registry (encoded) of the security phrases–what if it is blocked, broken, trashed?

Comments are closed.