Weak
or default passwords are behind 81% of data breaches, and most people employ
such a password, despite knowing better. Worse still, Internet users recycle
the same password across websites and services, making attackers’ job even
easier. But if the World Wide Web Consortium (W3C) has anything to say about
it, the age of password-based login is drawing to an abrupt close.

Passwords
are not only a popular point of entry for bad actors, they are also a drain of
time and resources for end users, as well as a major nuisance. Research
conducted by Yubico, a manufacturer of hardware authentication keys, users
spend 10.9 hours per year entering and/or resetting passwords. In corporate
environments, this allegedly translates into an average of $5.2 million lost
annually.

And
while traditional multi-factor authentication (MFA) solutions add another layer
of security, phishers still manage to work around these defenses. The situation
is worsened because of low MFA adoption rates among end-users.

In that respect, the W3C and the FIDO Alliance have been working diligently to make passwords obsolete, replacing them is the WebAuthn API, now an official standard embraced by Windows 10, Android, and Google Chrome, Mozilla Firefox, Microsoft Edge and Apple Safari. Once implemented, WebAuthn gives users the option to log into web services and devices more easily via biometrics and/or FIDO security keys, and with much higher security over passwords alone. For those interested in the underpinnings, full documentation is available here.

According
to the W3C, the FIDO Alliance’s FIDO2 set of specifications addresses the four
main issues of traditional authentication:

  • Security: FIDO2 cryptographic login credentials are unique across every
    website, biometrics or other secrets like passwords never leave the user’s
    device and are never stored on a server. This security model eliminates the
    risks of phishing, all forms of password theft and replay attacks.
  • Convenience: Users log in with simple methods such as fingerprint readers,
    cameras, FIDO security keys, or their personal mobile device.
  • Privacy: Because FIDO cryptographic keys are unique for each internet
    site, they cannot be used to track users across sites.
  • Scalability: websites can enable FIDO2 via simple API call across all of
    supported browsers and platforms on billions of devices consumers use every
    day.

“The Web Authentication component of FIDO2 is now an official web standard from W3C, an important achievement that represents many years of industry collaboration to develop a practical solution for phishing-resistant authentication on the web,” said Brett McDowell, executive director of the FIDO Alliance. “With this milestone, we’re moving into the next phase of our shared mission to deliver simpler, stronger authentication to everyone using the internet today, and for years to come.”

The
WebAuthn standard is a major step forward in making the web more secure and
usable for everyone, but don’t expect everyone to just implement it overnight. Web
standards take a lot of time to mature and gain traction.