New web standard designed to replace passwords

A new web standard is expected to replace passwords, so that users will no longer have to remember logins for every website or service they use. The Web Authentication (WebAuthn) standard is designed to replace the password with biometrics and devices that users already own, such as a security key, a smartphone, a fingerprint scanner or webcam, according to The Guardian.

Users can authenticate their login with their body or something they have in their possession, communicating directly with the website via Bluetooth, USB or NFC.

“WebAuthn will change the way that people access the Web,” said Jeff Jaffe, chief executive of the World Wide Web Consortium (W3C), the body that controls web standards.

WebAuthn promises to protect users against phishing attacks and the use of stolen credentials as there will be nothing to steal, the authentication token is generated and used once by their specific device each time the user logs in.

“After years of increasingly severe data breaches and password credential theft, now is the time for service providers to end their dependency on vulnerable passwords and one-time-passcodes and adopt phishing-resistant FIDO Authentication for all websites and applications,” said Brett McDowell, executive director of the FIDO Alliance, one of the bodies supporting the new standard.

The W3C has moved WebAuthn to what’s called the “candidate recommendation” stage – the penultimate step before it becomes an approved web standard .

“While there are many web security problems and we can’t fix them all, relying on passwords is one of the weakest links. With WebAuthn’s multi-factor solutions we are eliminating this weak link,” said Jaffe.

Several sites and services already use similar methods to log in, including Google and Facebook, which can both be logged into using a USB security key.