Google Chrome : A 2-factor authentication with an additional code by SMS or mail has been around for some years, but few users secure their accounts through this – rather inconvenient – way. Login without password? This should be possible with another standard, FIDO. Logging in, for example, works through biometric methods – such as the iris scanner or fingerprint that unlocks the smartphone – or through a token in the form of a USB stick that can be easily carried on a keychain. As the World Wide Web Consortium (W3C) and the FIDO Alliance announced, Firefox, Chrome and Edge will in future support the interface to FIDO for websites: WebAuthn. Firefox already supports the current version, while Chrome and Edge will move up to coming versions in the coming months.
WebAuthn is already represented on major online services like Google and Facebook. Login is possible via the FIDO standard “Yubikey token”. WebAuthn is also aimed at smaller sites, because for them the Fido standard is easier and less expensive to implement. For example, a USB token can be used as a second factor as well as completely replace the password. For authentication, not only USB tokens are possible, but also smartphones or smartwatches.
The FIDO standard is based on a zero-knowledge proof, as The Verge reports. This should make it particularly difficult to perform phishing attacks or impersonate online services as a person you are not, as there is no string that allows access to an account.
The commitment of the major browser makers is a “big step” for Brett McDowell, director of the FIDO alliance. “After years of heavy data leakage and password theft, it’s now time for vendors to end their dependency on vulnerable passwords and apply phishing-resistant FIDO authentication across all websites and apps,” said McDowell. However, it can not be ruled out that criminals will also find a way for WebAuthn to obtain secret access data.
Apple has not yet commented in support of Safari for WebAuthn, although the group is part of the developer group of the standard.