Will Passwords Ever Go Away? Maybe.
Passwords have been a thorn in the side of computer users for a very long time. Passwords are forgotten, at best. At worst, they are posted in plain view, rendering them useless. Finally, we see some real hope that passwords and all their irritations will go away. Here's what you need to know…
Is This The End of Passwords?
Password rules have become so complicated that it may take a half-dozen tries to come up with a password that some system administrator deems acceptable. Password management software is now essential, with rudimentary functions even baked into browsers. Passwords consume an excessive amount of time and brain cells.
Just yesterday, I was creating a new account at a large insurance company website and was asked to provide a password "between 6 and 10 characters in length." What? All the experts have been telling us that strong passwords should be 12 to 16 characters. Why impose an arbitrary limit like that?
But a new standard approved by the World Wide Web Consortium (W3C) is being adopted and deployed by browser heavyweights Google, Mozilla, and Microsoft. Hopefully, it will ease your password pain. Let's take a look at how it will work.
Webauthn, also known as the Web Authentication API, is a bit of software that will allow developers to create software that authenticates a user’s identity without relying on passwords. When you visit a new site, it will recognize that you are a first-timer and offer you the convenience of the Web Authentication API, which works like this:
Webauthn: enter a PIN or press your finger on the fingerprint reader.
Every time you re-visit that site and wish to go into restricted parts of it, you will need to perform the same “authentication gesture” that you did on the first visit. But a PIN is easier to remember than a strong password, and a finger is always at hand (sorry, couldn’t resist that pun).
Under the hood of Webauthn, the user’s device and the Web server he’s logging into use public-key encryption to secure their connection and to authenticate the user’s identity. Your authentication gesture becomes the seed that generates your unique pair of public and private encryption keys, stored on your device. Another key pair associated with yours is stored on the remote Web server.
Solving Multiple Security Problems
A new unique pair of keys is generated for every site you need to log into, eliminating the security problems of users who use the same password on multiple sites. Best of all, you don’t have to understand encryption jargon, how public and private keys come into play, or do anything more to help it along than enter a PIN or press a fingerprint reader!
In addition to fingers and PINs, tech-loving users can store their encryption key pairs on a Yubico Key, which looks much like a USB thumb drive.
It's important to note that those remote keys are useless without your local keys. If you're interested in those technical details, you can peruse Web Authentication: An API for accessing Public Key Credentials Level 1.
Another good thing about Webauthn is that because no passwords are used, your user credentials never leave your browser. Accordingly, they are not vulnerable to hacks or data breaches on the remote servers that currently store your usernames and passwords.
Chrome 67 and Firefox 60 will be released with the Webauthn API enabled by default. Both browsers are expected in May, 2018. Microsoft has not announced a date for Webauthn’s debut in the Edge browser, but it’s expected to not be far behind the other two browser giants. Apple’s Safari browser does not support Webauthn at this time, which seems odd because several Apple employees sit on the working group that came up with this standard.
Webauthn is already deployed at some major sites, such as Facebook and several Google properties. If you have not encountered Webauthn, it’s probably because you are not a first-time visitor who needs to log in.
Passwords will not go away completely for some time, but the death of passwords and all of their problems appears to be on the horizon. How do you feel about that? What could possibly go wrong with Webauthn? Your comments are welcome below...
This article was posted by Bob Rankin on 26 Apr 2018
|For Fun: Buy Bob a Snickers.|
Geekly Update - 25 April 2018
The Top Twenty
Cybercrime and Secret Sauce
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005
- Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Will Passwords Ever Go Away? Maybe. (Posted: 26 Apr 2018)
Copyright © 2005 - Bob Rankin - All Rights Reserved