No More Passwords: 'Keys' to Become New Standard

John Lister's picture

The demise of the password has come a step closer this week with the adoption of a new standard for physical "keys" for logging in to websites. "WebAuthn," as it's called, makes it easier for sites to let users log in through a physical method - rather than relying on users having to remember a password.

These methods range from USB devices that act like a physical key to biometric devices such as fingerprint or eye scanners. The big hope is that such devices reduce the need to rely on passwords which can be guessed or stolen in data breaches.

Browsers Already On Board

Having a standard is vital to make sure all compatible devices work with logins for all websites that support the technology. If this wasn't the case, users might need multiple login devices, which would undermine the simplicity of the technology.

For the WebAuthn standard to work, it needs to be supported by web browsers, websites and device manufacturers. Most major web browsers already support it, as do the device manufacturers.

This week's step is the official adoption of the standard by the World Wide Web (WWW) Consortium. That's the organization that makes sure everyone involved in the web does key things the same way. For example, it oversees the development of code languages such as HTML and CSS which browsers use to turn a website's code into what the user sees on screen.

Websites Must Add Support

The hope is that now it's an official standard, more and more websites will follow the lead of Microsoft and Dropbox in supporting the logins. It's a bit of a chicken-and-egg situation as users might not bother with getting physical login devices unless they work on most sites, but sites might not bother supporting it until most users get the devices.

Site owners will need to add code to support the standard. However, the World Wide Web Consortium says this will be relatively simple and, importantly, won't require extra work as sites get larger or busier. (Source: w3.org)

What's Your Opinion?

Are you comfortable with the idea of a physical key as a way to login to websites? How widespread would it have to be on the web before you'd consider getting such a device? Do you think the password will ever die out completely?

Rate this article: 
Average: 5 (6 votes)

Comments

stekcapofni's picture

Now let me see....

Where did I leave my USB password dongle?

I see these things being as secure as the chips on credit cards. Not very.

lesgray_cdn's picture

I forget where I put my house and car keys sometimes...Do I really need something else??

kitekrazy's picture

"Consortium says this will be relatively simple and, importantly, won't require extra work as sites get larger or busier."

That would be dependent on people willing to use hardware devices. I don't see this happening for desktop and laptop users.

On the plus side it may cause me to stay off the web a lot more.

I already have an iLok and eLicenser require to use some software. I don't want any more hardware taking up a USB port. In fact iLok had gone great lengths to not require their dongle. These things break too. Roboform does not.

RButts_5424's picture

Are we re-inventing the wheel? This nearly 87-year-old will stick with a master compound password to get to my password keeper software.

SteveMann's picture

I recall about 40 years ago, software was freely distributed, but the hardware key cost hundreds of dollars. If you lost a key- tough sh**.

russoule's picture

It appears that quite a few of the comments on here are from people who like having to remember to record a new password according to the rules of the website(no more than 8 characters - use 1 Capital and 3 lower-case - do not use a symbol - USE a symbol) on their "master password" app, whatever it may be. personally, I tend to forget to record it and leave it off of Chrome's automatic password saver as well, so I have to do a lot of head-scratching if I go back to that site a year later or even a month later. a device that ALL the websites will accept? sounds like a winner to me.

alan.cameron_4852's picture

The use of something else you can forget or misplace is still never going to work. It also requires the website to maintain more information subject to breaches.
The ideal solution is very nearly ready, SQRL. In this system the only password that is needed is the one to unlock the SQRL system. It is never transmitted to the website unencrypted and provides a website with a unique identity. This identity can never be stolen or subjected to a man in the middle attack and can be used from many devices ranging from your PC to your Smartphone or tablet.

For more details see https://www.grc.com/sqrl/demo.htm.

Website breaches are impossible as they have nothing to store that can be stolen.