Passwords, can’t live without them and they sure are getting cumbersome to live with day by day. With hackers becoming more and more determined to compromise accounts, service providers have been requiring increasingly complex passwords and security experts recommending different passwords for all accounts. It's becoming all too complicated and cumbersome, but, the World Wide Web Consortium (W3C) might have a solution that would make text-based passwords a thing of the past.
The W3C in conjunction with FIDO Alliance has proposed a new password proposal that uses the same concept as two-factor authentication and makes your fingerprint or Iris scan or even a facial scan the password. All of this would essentially require a device with a biometric method of authentication, such as your smartphone. We already use something similar for Google services, if you have two-factor authentication enabled that is.
In case you’re wondering how this is all going to work, it is all built on a new API called WebAuthn. This API essentially enabled any existing security device like a camera array (facial/iris recognition), fingerprint reader or USB Key to be used as an authenticator for web-based logins. Currently, when you sign into your Google account from a new device, you are asked to enter a password, following which, you receive a prompt on a pre-authorized device to authenticate the login attempt. This is a prompt with a simple Yes/No option, however, you were still required to enter a password first. Under this new method proposed by the W3C, when you try to log into a service, it would not require a password, but instead, you will receive an authentication prompt on your smartphone to verify your identity, which you can via biometrics or PIN/Pattern.
There are a number of advantages to this new system being proposed by the W3C. For starters, it is a browser-based feature meaning existing websites will not need to change anything on their end to make this work. Second, since it eliminates the need for text-based passwords, the chances of having your account hacked due to an “insecure” password are reduced to negligible. However, there is still the risk posed by a lost or stolen phone. If your authentications are set up to be through biometrics, you won't have to worry about the thief breaking into your online accounts. The PIN/Pattern method does open up some possibility of success through trial and error, however, the new protocol could address this with a maximum failed attempts limit. Lastly, having remote wipe enabled on your smartphone is always a great idea in case it is stolen.
As of today, Mozilla Firefox already supports the WebAuthn API, meaning if you try to log into a service using Firefox browser, you should be able to use your smartphone to authenticate the log-in. Engadget reports that Google Chrome and Microsoft’s Edge browsers will also incorporate WebAuthn in the next few months, however, there is no timeline on when Apple will integrate this into Safari. Given that every iPhone, iPad and now many of Apple’s laptops have at least one form of biometric authentication, this system seems like it would be a perfect match for Apple devices. However, Apple locks the biometric authentication down rather tightly and Apple users wouldn’t be able to benefit from this new authentication method without Apple’s support.