W3C Approves WebAuthn as the Web Standard For Password-Free Logins

The World Wide Web Consortium (W3C) today declared that the Web Authentication API (WebAuthn) is now an official web standard. From a report: First announced by the W3C and the FIDO Alliance in February 2016, WebAuthn is now an open standard for password-free logins on the web. It is supported by W3C contributors, including Airbnb, Alibaba, Apple, Google, IBM, Intel, Microsoft, Mozilla, PayPal, SoftBank, Tencent, and Yubico. The specification lets users log into online accounts using biometrics, mobile devices, and/or FIDO security keys. WebAuthn is supported by Android and Windows 10. On the browser side, Google Chrome, Mozilla Firefox, and Microsoft Edge all added support last year. Apple has supported WebAuthn in preview versions of Safari since December.

Thanks, but no thanks

[DogDude]

Use a *mobile device* for logging in somewhere? That seems like an extraordinarily bad idea. I wouldn't trust a mobile device for anything that requires security. They come already compromised by Google/Apple, and then most people load them up with all sorts of "apps" that are actually tracking/monitoring programs.

I'm sure most people will love it.

Something you have.

So instead of something you have / know / are - choose any two - it's now "Something you have." It's a great improvement over the atrociously insecure "We'll [collect your phone number for our database] and send a text to your cell phone [which might not even be your phone because SS7 is hopelessly insecure]" but killing the password entirely simply shifts the problem to how do you secure a bunch of Yubikeys?

How do I, for example, log in using a CLI? How is this any different than, say, storing my private key in ~/.ssh? How do I, for that matter, do anything with this that doesn't involve a web browser?

Sell your data to any bidder

[stooo]

>> sell users' info the the highest bidder.

Nope. They sell your data to any bidder. Why would they limit themselves to only one ?