The measures that you can take to protect your account information have evolved greatly over the last several years. This includes the introduction of biometric verification and two-factor authentication. This week, another big leap in security protocol was taken when the World Wide Web Consortium (W3C) approved WebAuthn as the authentication standard that will be used for online account verification.
Moving Beyond Passwords
Passwords are not a part of WebAuthn, which is a great benefit since there were huge drawbacks to password protection. The average individual is registered to 90 online accounts, many of which have different password requirements. This means that users struggle to remember them all or they continually use one password, which puts all of their accounts at risk. The average user forgets a password after 2 weeks and 25% forget a password at least once a day.
Ditching passwords is a big leap forward, and WebAuth does that by using biometric data or hardware tokens. Most smartphones and modern devices already have the ability to use biometric data, such as a fingerprint or facial recognition, so extending this verification to online sites is an extension of the existing technology.
Hardware token verification is a little bit more complex. Essentially, the user would possess a hardware token that functions as a FIDO security key. This can then be plugged into the USB port of your PC to gain access to your accounts. YubiKeys or Titans are two examples of current keys that can be used.
Simply put, this key is essentially a highly complex password that you keep with you at all times. If lost, you can notify the vendor who will deactivate the key and issue you a new one. While there may be drawbacks with the model as well, it will be a vast improvement over the current system, which generally results in the widespread implementation of weak passwords. Recent data breaches, such as those of Collections 1-5, which included usernames combined with the corresponding passwords highlight how important a more secure alternative is.
The WebAuthn Process
WebAunth is already supported by most browsers, including Safari, Chrome, Firefox, and Edge, although the W3C adoption will be a compelling reason for individual websites to begin using it. It is an Application Programming Interface (API) that sites and browsers can used that enables the use of public key cryptography rather than passwords. Users are authenticated using JavaScript code embedded into the webpage that asks the browser to create credentials when signing up or get credentials when you log in. The code is downloaded with the web page, meaning that you do not have proved any information to the website itself.
This means that the site or browser asks that the authenticator verify your identity and once that is done (by biometric data or hardware token), you are granted access. The big benefit here is that none of your personal data or unique information is stored on the website itself – unlike our current environment where nearly all of your passwords are stored on the sites themselves. This environment is vulnerable to data breaches that can have huge consequences
for both the consumers and the companies themselves. WebAuthn provides a method that makes both the user and the site more secure.
Now that most browsers have adopted WebAuthn, the next step will be for websites to adopt it, which is very likely to happen over the coming months. Dropbox and Microsoft have already done so, and it will not be long before other sites realize the value in this type of authentication and the greater level of security it can provide. We may see an interim phase in which some sites retain the password data as a backup method for identity verification, but it is clear that the future of digital sites will be one without passwords. The reality of this will likely be here sooner than we expect!
