Passwords are, theoretically, a great security measure. The trouble is that the human brain doesn't deal well with them. Something like "X83_lmr!vv2k4ser.ag" is a great password, but who can remember it? You'll have to write it down, and someone else might find it.
There are better ways, soon non-password authentication methods will be more widely available. The WebAuthn protocol has reached "candidate recommendation" status — that's the World Wide Web Consortium's terminology for "very nearly final" — and it's becoming available in browsers. It will be enabled by default in Firefox 60, and Chrome and Edge will quickly follow suit.
The new API doesn't dictate a specific way for users to authenticate themselves. It provides a way to use public key authentication, a well-known approach used for many kinds of secure communication. It requires the user to have a "private key," which can take many forms. It could be stored on a USB key, a phone, a contactless wallet card, or something else.
Nothing to steal
The key is long and random-looking, and no one is expected to memorize it. What's more important, it's never sent to the server, so phishers can't steal it even if they successfully trick people. The client and server engage in an electronic "handshake." One way to think of it is that the server asks a question which only someone with the private key can answer.
Usually, the key will be stored in a form that requires another piece of information to complete it, such as a passphrase or a biometric scan. That way, even someone who steals the key can't use it without the extra information. It's a form of two-factor authentication, where the first factor is very secure to begin with.
Service APIs, as well as human interactions, can use WebAuthn. Software can make requests to a database service without sending a password, increasing the network's security.
When will it be real?
WebAuthn doesn't let users log in to anything by itself. It's an API and requires software on both the client and the server to create an authentication mechanism. The server only cares about the key handshake, so users will be free to choose among different implementations.
The question now is: Whose move is it? Companies running websites won't have much incentive to implement WebAuthn until there are people ready to use it. Users need to find sites that will accept it before they'll start using it. Changing over will require building up momentum somewhere.
The early adopters may be businesses that use in-house applications. They have control of both ends, so they can create services that require WebAuthn and give their employees applications that can use it. Businesses with strong security needs, such as banks and healthcare providers, are likely to move the fastest toward password-free logins.
What it won't fix
Logging in without a password will eliminate a lot of problems. Stolen and guessed passwords are among the biggest causes of security breaches. WebAuthn will eliminate them, but there will still be ways criminals can fool users. Look-alike sites can pretend users have successfully logged in and then ask for confidential information relating to the account. People who think they're connected to a trusted site might enter credit card information and other data which they wouldn't normally give.
That risk exists today, of course. The danger is in overselling the safety of the new approach. A lot of people think that if they have an HTTPS connection to a site, they must be safe. All they really have is a secure connection to whatever site they've connected to, which may or may not be one they can trust. Likewise, password-free authentication will eliminate a lot of problems, but users will still need to be careful.
Wide adoption of WebAuthn will lead to more attempts to steal private keys. Passphrase or biometric protection will limit that tactic's value, but if the user protects them with a weak passphrase like "123456," that might be all the thief needs.
Network security is always a contest between the attackers and the defenders. WebAuthn won't eliminate all problems, but it will shift the balance in favor of secure networks.
Managed security with IronLogix will protect your network from would-be intruders, and we'll keep you up to date on the latest developments. Contact us to find out more.