Frequent readers of this blog will know that I am constantly looking for alternatives to passwords. Some reasons are: they can be shared so a system cannot tell who the real user is, they can be forgotten, when stored improperly they can be leaked.
Passwords fall into the single-factor category of “something you know” (the other two are “something you have” and “something you are” such as your fingerprint). Organizations wanting higher security generally combine two of these factors. Until recently, that has been difficult or impractical for websites.
WebAuthn (short for Web Authentication) is a recently approved method to allow a user to authenticate to a website using physical devices or biometrics with the browser. That means the Yubico key (among others) can now be used to authenticate a user to a website.
WebAuthn is supported by current versions of most browsers and Windows 10, Android, and Chrome. I have used it with Firefox running on Windows 8 as well. The beauty of this is that all the work has been done for you, and it does not require setup.
There is a demo for WebAuthn at https://webauthn.org. Here is what I did to test it on my Windows 10 desktop with Firefox:
The process took far longer to type in here than it did to actually register and log in. Because of the way Windows works, I could not capture the message window. But, the webauthn.org site does show a log of what happened. It is long and probably not meaningful for most readers, but if you do this yourself, it is accessed via a small “Advanced” link below the “Register” and “Login” buttons. For programmers, there is also a link to the source code for the site.
With the site part of the code freely available to developers, I hope more sites will choose to use WebAuthen to authenticate users. A bit of a warning, though: tokens can get lost. If you use one, keep it safe. WebAuthn should also work with fingerprints. Sadly, I cannot easily test it as my ancient phone doesn’t have a fingerprint reader.
I believe WebAuthn will go a long way toward helping the web get rid of the insecure password system.