The Internet Is Killing Password By Making 'WebAuthn" An Official Web Standard

People that are active on the web using multiple accounts should know that managing passwords can be problematic.

From creating strong passwords that are hard to guess but easy to remember, to constantly changing them due to frequent data breaches, resetting passwords in case they forget, adding multi-factor authentication, registering their phones and link their other emails for recovery and so forth.

That is indeed a lot of work.

That is the process we all need to suffer to benefit the web, but be safe at the same time.

But things are changing, as the Worldwide Web Consortium (W3C) and the FIDO Alliance have taken a big step toward killing the password.

The two have announced that WebAuthn (short for "Web Authentication") has become an official web standard, a year after promoting it to the Candidate Recommendation stage.

What this means, the usual login format which include the combination of username and password, is meant to be killed in favor of letting people log in using biometrics, such as fingerprints, and facial recognition, or through security keys, and devices such as smartphones, and smartwatches.

In a good way, killing password means that people aren't anymore required to remember, maintain or even enter a password anymore.

As a matter of fact, passwords have actually become less popular.

According to Google in February 2018, Android is FIDO2-certified, which means devices can use fingerprints and security keys for logging in to accounts instead of passwords. Affecting those users using devices running Android 7 and up, this is half of all Android users.

What this means, approximately one billion users are already enjoying this password-less life.

"It's common knowledge that passwords have outlived their efficacy," the organizations wrote in a press release.

"Not only are stolen, weak or default passwords behind 81 percent of data breaches, they are a drain of time and resources."

WebAuthn (Image: FIDO)

At its core, WebAuthn is essentially an API that allows apps and websites to communicate with a security device to let users log into their service.

This security device can range from a FIDO security key that users can simply plug into a USB port on their computer, to a more complex biometric device that allows for an additional level of verification.

The important thing is that WebAuthn is more secure than the weak passwords people still use. What's more, it is also simpler than having to remember a string of characters in the first place.

So if a user chooses to login to a website or app using their face or fingerprint, that information is only stored on their device, and not on the app's server or the website.

Besides preventing brute force hacks, WebAuthn can also help prevent companies from following users around the internet and tracking their every activity.

When the news came, WebAuthn is already supported by most popular browsers, including Google Chrome, Apple’s Safari, Mozilla's Firefox and Microsoft Edge.

With the W3C approval, the consortium attempts to formalize the interaction between websites/apps and web browsers when exchanging user credentials. This should pave the way for more apps and websites to integrate it as a standard login option.

But here is the thing: passwords won't go anywhere anytime soon. The announcement was simply a warning sign that password is reaching the end of its time as the most trustworthy and safe internet security credential.

WebAuthn here, is one step closer to being a viable alternative.