Firefox Moves Browsers Into Post-Password Future With WebAuthn Tech

Today, Mozilla released Firefox 60 for Windows, Mac, Linux and Android, and with it arrives Web Authentication API for desktop browsers. From a report: Firefox 60 supports technology called Web Authentication, or WebAuthn for short, that can be used to grant you access to websites with a physical authentication device like a YubiKey dongle, biometric identity proof using an Android phone's fingerprint reader or the iPhone's Face ID, and some other alternatives to passwords.

Passwords are a particular problem on the web. Fake websites can coax you to type in credentials that then can be used to steal money from your bank account or snoop your email -- a problem called phishing. Even if you pick hard-to-guess passwords, never reuse them on multiple sites and always remember them, passwords still aren't that strong a foundation for security these days. We're still a long way away from a post-password future, but WebAuthn is an important step, if nothing else, in making sites more secure.

Long term: Bad for the web

While I appreciate some of the benign use cases they are supporting, this will be bad for the web in the long term. Creating that level of standardized interaction moves us closer to authentication being performed by persistent identity rather than something in our possession. Whether mandated by law, market fiat, or a combination of the two, we need to be wary of this threat. Cross-site identity is the keystone for wholesale privacy violations and mass censorship,

Government vs Biometrics

[Daemonik]

The problem with biometric data for unlocking your devices or websites is that Governments are starting to argue that they can use your biometrics without your permission, as it's publicly available. An officer can hold your phone up to your face to unlock it that way, and they already have your fingerprints after an arrest, so it's not a huge leap to use that power to make you unlock a device.

Whereas a pin or password requires divulging privileged information and thus requires a warrant, at least in the US, biometric data is on shakier legal grounds.

Re:Government vs Biometrics

[Octorian]

IMHO, the fundamental problem with biometrics is that they're a password you cannot change.

No mater how personally unique some characteristic of you may be, it ultimately has to be captured and turned into a data stream to be used for authentication. What exactly stops someone from simply capturing and replaying that data stream?

Re:Government vs Biometrics

[Archangel+Michael]

This is the first post that clearly states what the problem actually is.

Identity isn't authorization. Biometrics is IDENTITY, not "AUTHORIZATION". I don't want my face to unlock my phone every time. Or my Finger print. Or my blood sample. Or DNA, retinal scan etc.

I want my authorization, which requires an ACT on my part besides just being me (dead or alive).

Re:Another dead Firefox release.

[fluffernutter]

I tried Edge once (to download Firefox) and it just gave me a white page like it was incompatible or something. Safari seems clumsy and slow. IE *is* dead. Chrome sends everything you type to Google, so not comfortable with that. Chromium may be an option, but I don't think it offers many advantages over Firefox. Furthermore, Firefox works in a consistent way on Mac, Windows, and Linux. Not sure what you think people are going to switch to.