Firefox Moves Browsers Into Post-Password Future With WebAuthn Tech

Today, Mozilla released Firefox 60 for Windows, Mac, Linux and Android, and with it arrives Web Authentication API for desktop browsers. From a report: Firefox 60 supports technology called Web Authentication, or WebAuthn for short, that can be used to grant you access to websites with a physical authentication device like a YubiKey dongle, biometric identity proof using an Android phone's fingerprint reader or the iPhone's Face ID, and some other alternatives to passwords.

Passwords are a particular problem on the web. Fake websites can coax you to type in credentials that then can be used to steal money from your bank account or snoop your email -- a problem called phishing. Even if you pick hard-to-guess passwords, never reuse them on multiple sites and always remember them, passwords still aren't that strong a foundation for security these days. We're still a long way away from a post-password future, but WebAuthn is an important step, if nothing else, in making sites more secure.

No thank you

[AuMatar]

So I have to have a physical key, magically have copies of it on all my devices, and I'm screwed if I want to log into my account on another computer for some reason. No thanks, I'll keep my passwords.

Re: Time Saver

[Archangel+Michael]

I create new EMAIL for every account I have to sign up for.

My pattern is kind of along the lines of "Netflix-MyAccount-16@whatveremail.com". One email per account. That way, I know when I signed up for it (2016), and what it is for (Netflix). Each with a unique password only used for that site. It slows me down from signing up for fad of the years and stupid shit, and I know who sells my shit to who, and none of those gets my business again.

It is actually empowering taking control.

JUST STOP IT

[XSportSeeker]

Man, I'm f*cking tired of this shit.

Stop spreading the false myth that a new standard, biometrics, or whatever is gona "replace" passwords, or that there is a post password future, or bullshit like that.
What passwords provides is fundamentally different from what biometrics can offer.
If you can't understand this, you should not be reporting on these things, period, because you are only contributing to misinformation and misunderstandings on the very basics of security.

It's because of shitty practices like these that we are in the deep privacy end hole that we are now. There is no foreseeable "post password future". And not by a long stretch when it's relying on proprietary and closed off systems for it.

For something to completely replace passwords it needs to be something you know, that can be easily changed, and cannot be taken from you by force, when you are unconscious or something like that. If it can't, it cannot replace passwords, period. It won't end the era of passwords, it won't take it's place, and it cannot by definition, be used in several cases where passwords are required.

Biometrics and this new standard will add convenience to a form of authentication that while it can be enough for lots of things, or can be paired with passwords for added security, it does not offer the same level of security as passwords because it can be taken from you, some of them without you even knowing. They cannot be easily replaced as they are part of your identity, uniquely tied to you. And they'll be highly dependant on proprietary hardware and software schemes to maintain integrity.

And pointing out phishing as a flaw of passwords is just stupid. As soon as biometrics becomes more widespread, social engineering strategies to get what's needed to unlock them will rise. It's just the way it is. And yes, some of them might be very secure these days, but methods will arise to spoof, replicate, and just take it straight from the source. The proper way to see webauthn and biometrics is as a layer of security that is convenient, but isn't perfect and isn't impossible to bypass. You use as many layers you need, and weight the pros and cons of each for your usage. But f*cking stop saying that they'll be replacing passwords. We've been there before. Look how many biometric authentication methods were broken so far, look how many problems this assumption of replacing stuff with biometrics has already brought. Just. Stop. It.