Image of a padlock hooked to a gate

A New Standard for a More Secure Internet

Online security is becoming more and more important. But we often end up messing up that delicate balance between security and comfort. Now, the new standard WebAuthn is looking to make devices of all sorts more secure by using physical security keys and biometric passwords.

06 of August of 2019

Who hasn’t ever forgot their password? Or used something like 1234 so as not to waste time when signing up on a new site? And what’s with being able to use your fingerprint to unlock your phone but not to log into a new online store?

The W3C Consortium and the FIDO Alliance have been working on creating a standard for the Web for years, called WebAuthn (Web Authentication) which enables using combinations of safer and easier “usernames and passwords” than we have now. The W3C is in charge of outlining matters related to web engineering in terms of protocols and contents; FIDO (Fast IDentity Online) brings together different manufacturers and businesses with the objective of simplifying authentication systems for accounts and passwords, especially when they’re related to physical devices. The basic idea is that we won’t have to remember all of them and use different accounts and passwords for each service.

Over the last few years, many interesting advances have been made, but sometimes they are disjointed. Those who need more security are used to using software like password managers or physical “USB security keys” (dongles) that enable access to certain sites when they’re plugged in. There are also more and more smartphones, tablets, and laptops that are activated with your fingerprint, so you don’t have to remember a password. Other biometric systems include facial recognition and iris scanning. Nevertheless, they aren’t interfunctional systems, and not all of them are compatible with the software or services you may want to use.

This problem is something like the snake that bit its own tail: businesses don’t use one singular method because there wasn’t a standard, and no one developed a popular enough standard because it was difficult to convince all the parties involved.


WebAuthn for all

The new WebAuthn standard aims to create a solution that works for all operating systems (Mac, Windows, Linux), on all platforms for computers as well as smartphones, tablets, and other devices, and on all web browsers (Chrome, Firefox, Edge, Safari, etc.). This will allow all devices connected to the Internet of Things, less common payment systems, connected homes, and more to be included.

WebAuthn logo

As “official web standards” are getting approved, the only thing missing is for different relevant businesses and organizations start using it. In practice, it will be enough to create one account that won’t even require you to remember a password: you just have to plug in the device’s physical key, put your finger on the fingerprint sensor, or show your face to the camera. These credentials will be the same for all services, but the “passwords” (which the user doesn’t even know) are so secure that never leave the device they’re associated with, they just perform an “authentication operation” when necessary.

New habits that are much more secure

Having a password that not even the user knows has a lot of advantages: most “attacks” and data theft are related to “default” passwords that many systems come installed with, for example. And another high percent are “trivial” passwords or even normal passwords that end up stolen through techniques like phishing: tricks through e-mail and other forms of what’s called social engineering.

Besides, even though an account and its secret password allow us to identify ourselves on different services and businesses with WebAuthn, the standard doesn’t allow “monitoring” people from one place to another, an added advantage for privacy.

Soon, we’ll start seeing how manufacturers will begin incorporating their solutions and how smartphones, computers, and other devices start to be capable of using this new standard: with companies like Amazon, Google, Microsoft, Mastercard, ING, Intel, Lenovo, PayPal, Visa, Yubico, and more – general as well as specialized ones – getting involved, it’s just a question of time.

There are no comments yet