Online security is becoming more and more important. But we often end up messing up that delicate balance between security and comfort. Now, the new standard WebAuthn is looking to make devices of all sorts more secure by using physical security keys and biometric passwords.

Publicada el 6 de Agosto de 2019

Who hasn’t ever forgot their password? Or used something like 1234 so as not to waste time when signing up on a new site? And what’s with being able to use your fingerprint to unlock your phone but not to log into a new online store?

FIDO Alliance website header infographics
FIDO Alliance

The W3C Consortium and the FIDO Alliance have been working on creating a standard for the Web for years, called WebAuthn (Web Authentication) which enables using combinations of safer and easier “usernames and passwords” than we have now. The W3C is in charge of outlining matters related to web engineering in terms of protocols and contents; FIDO (Fast IDentity Online) brings together different manufacturers and businesses with the objective of simplifying authentication systems for accounts and passwords, especially when they’re related to physical devices. The basic idea is that we won’t have to remember all of them and use different accounts and passwords for each service.

Over the last few years, many interesting advances have been made, but sometimes they are disjointed. Those who need more security are used to using software like password managers or physical “USB security keys” (dongles) that enable access to certain sites when they’re plugged in. There are also more and more smartphones, tablets, and laptops that are activated with your fingerprint, so you don’t have to remember a password. Other biometric systems include facial recognition and iris scanning. Nevertheless, they aren’t interfunctional systems, and not all of them are compatible with the software or services you may want to use.

This problem is something like the snake that bit its own tail: businesses don’t use one singular method because there wasn’t a standard, and no one developed a popular enough standard because it was difficult to convince all the parties involved.

 

WebAuthn for all

The new WebAuthn standard aims to create a solution that works for all operating systems (Mac, Windows, Linux), on all platforms for computers as well as smartphones, tablets, and other devices, and on all web browsers (Chrome, Firefox, Edge, Safari, etc.). This will allow all devices connected to the Internet of Things, less common payment systems, connected homes, and more to be included.

WebAuthn logo

As “official web standards” are getting approved, the only thing missing is for different relevant businesses and organizations start using it. In practice, it will be enough to create one account that won’t even require you to remember a password: you just have to plug in the device’s physical key, put your finger on the fingerprint sensor, or show your face to the camera. These credentials will be the same for all services, but the “passwords” (which the user doesn’t even know) are so secure that never leave the device they’re associated with, they just perform an “authentication operation” when necessary.

 Image of digital keys, similar to a usb
Yubikey

New habits that are much more secure

Having a password that not even the user knows has a lot of advantages: most “attacks” and data theft are related to “default” passwords that many systems come installed with, for example. And another high percent are “trivial” passwords or even normal passwords that end up stolen through techniques like phishing: tricks through e-mail and other forms of what’s called social engineering.

Besides, even though an account and its secret password allow us to identify ourselves on different services and businesses with WebAuthn, the standard doesn’t allow “monitoring” people from one place to another, an added advantage for privacy.

Soon, we’ll start seeing how manufacturers will begin incorporating their solutions and how smartphones, computers, and other devices start to be capable of using this new standard: with companies like Amazon, Google, Microsoft, Mastercard, ING, Intel, Lenovo, PayPal, Visa, Yubico, and more – general as well as specialized ones – getting involved, it’s just a question of time.

Written by Álvaro Ibáñez the 6 de Agosto de 2019

No comments, yet

Login

To save your favourite articles we need to know who you are

¿Has olvidado tu contraseña?

Not registered yet?

You can also login with:

Sign up

Enter your email address and we will send you an email to activate your profile

You can also login with:

¿Has olvidado tu contraseña?

Introduce la dirección de correo electrónico con la que te registraste para recuperarla.

¿Has olvidado tu contraseña?

Password changed

Aviso

No se ha podido cambiar su contraseña de acceso.

¿Has olvidado tu contraseña?

Please, check your email to get the confirmation link

Aviso

No hay ningún usuario registrado con esa dirección de correo electrónico.

Aviso

Este usuario no tiene permitido el restablecimiento de su contraseña.

Sign up

Check your email

Please, click on this link to get advantages of having a user account

Aviso

Ya estabas registrado con este correo electrónico

Aviso

Sorry we have had a problem completing your registration, please try again. .

Aviso

Lo sentimos, pero ese código de validación ya se ha usado en el registro de una cuenta de usuario.

Complete your registration info

¿Qué te interesa?

Selecciona los temas que te interesan y te enviaremos el contenido relacionado.

How often would you like to receive updates?

Newsletter