W3C approves WebAuthn, a new authentication standard for password-free logins

Password Settings on Mac

If you suck at remembering or creating strong passwords, you’re going to love that the World Wide Web Consortium (W3C) yesterday approved Web Authentication (WebAuthn), a new authentication standard for password-free logins that’s already supported by major browsers.

According to the announcement, the WebAuthn specification is now an official web standard.

WebAuthn lets people log into Internet accounts with their preferred device. It takes advantage of a protocol called Client to Authenticator Protocol (CTAP2), also called FIDO2, which is used to generate private and public cryptographic key pairs for authenticating to a website.

The press release lists the following key features of WebAuthn:

  • Security: FIDO2 cryptographic login credentials are unique across every website, biometrics or other secrets like passwords never leave the user’s device and are never stored on a server. This security model eliminates the risks of phishing, all forms of password theft and replay attacks.
  • Convenience: Users log in with convenient methods such as fingerprint readers, cameras, FIDO security keys or their personal mobile device.
  • Privacy: Because FIDO keys are unique for each Internet site, they cannot be used to track you across sites.
  • Scalability: Websites can enable FIDO2 via simple API call across all supported browsers and platforms on billions of devices consumers use every day.

In other words, WebAuthn could protect people from breach or phishing attack.

For starters, it’s far more secure than the weak passwords many folks use to safeguard their online accounts or those one-time-passcodes that can be intercepted. With WebAuthn, an attacker armed with a correct password would also require physical access to your physical security key or mobile device with supported biometric functions before gaining access.

TUTORIAL: How to view, search & edit Safari passwords

WebAuthn is currently supported in Chrome, Firefox, Edge and Safari web browsers, as well as in Windows 10 and Android. Support for Safari first appeared in Apple’s Safari Technology Preview version 71, which was released to developers on December 5.

WebAuthn should work with Yubico devices.

Yubico produces NFC-based physical security keys for passwordless login and two-factor authentication. In January, the company released its first Apple-approved physical security key that works with both Lightning-based iOS devices and Macs with a USB-C port.

YubiKey, the very first Apple-approved physical security key, works with iOS and macOS devices.

Yubico’s existing NFC-based security key products work out of the box with hundreds of web services that support the FIDO U2F and FIDO2 authentication protocols.

Both WebAuthn and the FIDO2/FIDO U2F authentication protocols are already supported by Dropbox, Facebook, GitHub, Salesforce, Stripe and Twitter, with other popular websites expected to integrate support for these standards in the coming months.