“Mozilla has released Firefox 60 with support for a new option to sign in to websites without using a password,” Liam Tung reports for ZDNet. “That’s thanks to an emerging W3C standard called Web Authentication or WebAuthn, which is enabled by default in Firefox 60 and is coming later this month to Chrome 67, and Microsoft Edge. It’s also under consideration for Safari.”
“By removing passwords, the WebAuthn API will make phishing attacks a lot harder and gives users more convenient authentication choices, including hardware security key dongles such as a YubiKey device, fingerprint readers on smartphones, or facial-recognition systems like the iPhone X’s Face ID,” Tung reports. “A key advantage, like the FIDO Alliance’s predecessor U2F standard for security keys, is that WebAuthn generates cryptographic public-private pairs for signing in, which means no shared secrets that could be leaked if a site is hacked.”
“Though the standard is currently only rolling out to desktop browsers, in future mobile browsers are likely to support it too,” Tung reports. “As it stands, Firefox for the desktop is the first browser to support WebAuthn. According to Mozilla, WebAuthn currently supports security keys like Yubico when plugged into a USB port, but in future it will enable biometric login from mobile devices following a notification issued by a website, so long as the site also supports WebAuthn.”
Read more in the full article here.
MacDailyNews Take: We’ll wait for it to come to Safari and, in particular, work with Face ID, thanks.
Hmmm, seems to me an ideal way of tracking users across the internet …
I wish Apple Safari had such a system built in my Apple. I dont use Mozilla and not going too, but this password free access is appealing.
Wait for WWDC…
With Safari and Keychain, I hardly ever have to remember a password these days.
Yes it would be if keychain were reliable but unfortunately like so many things Apple these days it is not. My keychain saved passwords have already been completely screwed up twice this year. Very sad Apple
Agreed. Keychain is VERY unreliable, especially on the iPhone. I can’t count how many times I have had to reset passwords because Keychain failed to work on my iPhone. Too many!
That’s the typical lack of quality I have come to expect from Tim Cook’s Apple. The man simply does not care about attention to detail. Things used to work. Now they don’t and it shows. All the time.
Keychain has always worked flawlessly for me on my Apple devices.
Safari and 1 Password
That’s true, but it’s still sending a password. I think this new web authentication API isn’t password based.
Speaking of Face ID, will that work on a corpse as compared to Touch ID that doesn’t?
It will only work if the corpse is able to focus attention, so no.
And when it is hacked they own you.
No thanks.
Never had any issues with Keychain, ever..
My only troubles have been fairly obscure:
• Having to remove old passwords from Keychain after I’ve changed them.
• Having to DIY remove approval of System Root Certificate Authorities (CAs) that have screwed over the Internet. As ever, I wish Apple was faster at responding to security threats. (Example: StartCom. Coming up: incompetent Symantec).
I really like the IDEA of Keychain, and it works, sometimes. Seems to be good enough for Apple lately…not for me. I’ve still never spent my lucres on anything computer but Apple, but if, IF, I ever found anything I thought was better, I’d be gone in a NYC second.
Multifactor Authentication is still the best system. But it’s a relief that at long bloody list “Something You Have” is being supported in browsers.
I’ve had a YubiKey for over 10 years! So let me use the thing! Yes? What took you so long?!?!?!
http://www.yubico.com
The other two Factors of Multifactor Authentication:
– “Something You Are.” (Face, fingerprint, iris, retina…)
– “Something You Know.” (Password, mother’s maiden name, pictures with busses in them…)
The more factors the better. Less convenient! But better.
https://en.wikipedia.org/wiki/Multi-factor_authentication