Microsoft has just announced support for WebAuthN in its Edge browser, joining Firefox and Chrome in moving users toward a passwordless authentication future.
The Worldwide Web Consortium/W3C's WebAuthN standard is an alternative to website password entry. WebAuthn provides a way to bypass password authentication in favor of proxy authentication for websites via a user's or client’s USB, Bluetooth or NFC (smartphone unique ID) device. The era of easily guessed passwords, misplaced passwords and other password foibles may be nearing its end.
With WebAuthN, instead of entering passwords to authenticate to websites, web browser visitors use a nearby or plugged-in device with a unique user-ID source. The WebAuthn protocol is a product of FIDO (Fast IDentity Online), an alliance of organizations including AirBnB, The Federal Reserve Bank of Minneapolis and Paypal that developed the FIDO2 protocol that WebAuthN works with. The FIDO2 protocol is designed to use the unique identifiers found in tested and compatible user devices, including fingerprint sensors and dedicated devices such as the Yubico Secure Key USB fob.
“Yubico co-created the core and revolutionary invention behind FIDO U2F--one single second-factor security key that works with any number of services, without drivers or client software needed, and without shared secrets between services," said Stina Ehrensvard, CEO of Yubico. "FIDO2 is a natural evolution of U2F, delivering trusted, passwordless authentication for the modern and distributed workforce."
Other WebAuthN authenticating devices include the NFC chip found in most Android phones. Combinations can be used as well, such as a smartphone gesture (shake or movement). Authentication devices have a unique, long and difficult-to-spoof string of characters that are used to characterize an identity.
Google, Microsoft and Mozilla have committed to supporting WebAuthn in their browsers, and Microsoft has said it will add support for WebAuthN in Active Directory.
The updated browsers sense the presence of an authenticating mechanism or device that’s available to the website for purposes of validating and authenticating a person attempting to use a website’s resources. The mechanism or device that the browser sources for user validating information is unique to that device and, therefore, to that user authentication attempt. Users of WebAuthn would need to bring authentication devices, or combinations of devices, with them to authenticate to a website.