Firefox support for WebAuthn shows passwords the door

Something important happened in the world of passwords this week – Firefox 60 has become the first browser to support a new standard called Web Authentication (WebAuthn).

Developed as a joint effort by the industry FIDO Alliance and the World Wide Web Consortium (WC3) on the back of Universal Authentication Factor (UAF), WebAuthn is an API which deploys public key encryption to let users log into websites without needing a password.

The point of WebAuthn is to turn today’s flawed authentication model on its head.

That model typically has users authenticating themselves with passwords and, in some cases, a second factor such as a one-time code.

Passwords are widely reused, bad ones are easy to guess, strong ones are hard to remember and all passwords can be stolen by phishing attacks. The one time codes that add so much extra protection are hardly used and can also be phished, although the window of time in which they can be used is very small.

WebAuthn aims to change all of that:

Firefox 60 will ship with the WebAuthn API enabled by default, providing two-factor authentication built on public-key cryptography immune to phishing as we know it today.

For now WebAuthn relies on hardware keys, like YubiKeys, either on their own or alongside passwords. In future it could utilise any number of authentication methods including Windows Hello, face or fingerprint ID, or even a PIN terminal.

Once a user has authenticated at their end, no credentials leave their device – all a website sees is confirmation that authentication was successful – so there is nothing to steal.

By relegating passwords, at a stroke WebAuthn also reduces the negative impact of password re-use, which engineers are still trying to figure out how to stop.

How long might WebAuthn take to establish itself?

The short answer is don’t throw away your passwords just yet. Support has started in browsers which, in addition to Firefox, will soon include Chrome and Edge. (Apple’s intentions for Safari are less clear).

Next will be mobile devices, which in the case of Android will take longer because the architecture for storing credentials securely, on which WebAuthn hinges, is still evolving.

WebAuthn must of course be supported by the big websites – Google, Facebook and Microsoft are keen while Dropbox is already there, but even the latter’s enthusiasm is qualified:

There are still many security and usability factors to consider in these scenarios before replacing passwords entirely, and we believe that enabling WebAuthn for two-step verification strikes the right balance for most users right now.

What Dropbox seems to be saying is that no matter how good an idea, WebAuthn still requires users to start using security mechanisms such as biometrics or tokens for passwords to be retired.

You don’t have to be an outright pessimist to think that might take years.

A side issue is where WebAuthn leaves users who’ve already invested in hardware tokens prior to new FIDO2 WebAuthn tokens appearing last month.

As far as we can tell, older U2F tokens (which lack the number ‘2’ on the front) are backwards compatible with WebAuthn, the only limitation being that they won’t support the Client to Authenticator Protocol (CTAP) used in a few scenarios when one device (the hardware token) is authenticating another (a phone).