Google, Microsoft, and Mozilla Implement FIDO To Kill The Password!

by Tim Sloane 0


Soon both Google Chrome and Microsoft Edge will support FIDO and Firefox has already done so. With more and more clients becoming FIDO enabled we can only hope that web sites decide to take advantage and that we can soon say goodbye to passwords and finally have our biometrics do more than just open our mobile device and a few bank apps:

“The FIDO Alliance and the World Wide Web Consortium (W3C) have launched a new authentication standard that will bring biometric and hardware key security to the world’s leading web browsers.New FIDO Standard for Web Browsers Backed by Google, Microsoft, Mozilla

Called WebAuthn, the standard lets web browsers authenticate users via fingerprint scan, facial recognition, or a hardware key device such as Yubico’s YubiKeys. The latter are small, thumb-drive-like devices designed to be plugged into a user’s USB port; during authentication, the user taps an embedded button to prove that they are physically present at the computer communicating with a given site. Fingerprint scanners, meanwhile, are increasingly finding their way into laptop and PC devices, and are of course on all kinds of smartphones; while facial recognition can be leveraged through a standard web camera or smartphone camera to enable biometric user authentication.

Thus, by supporting these mechanisms, the WebAuthn standard allows for significantly improved authentication security through a web browser. Sites that previously used password and username combinations to let users access online services can take advantage of technologies that physically validate the user’s identity, rather than relying on credentials that could possibly be stolen. That means greater security for the end user, with FIDO ensuring that these biometric and hardware key credentials are encrypted for each site to offer additional security. But it also offers more convenience, since biometric and hardware key authentication mechanisms can be faster than password-based login, and users will no longer need to remember an overwhelming array of passwords for various web services.

The WebAuthn specifications are now available for developers, and the W3C, which is the primary international standards organization for the web, has advanced the standard to ‘Candidate Recommendation’ status. That means the specifications have been thoroughly reviewed and deemed to meet the W3C’s technical requirements, and are now ready to be implemented so that the standards body can collect further data before it officially endorses the standard.

Meanwhile, Microsoft, Mozilla, and Google have all committed to supporting WebAuthn in their Edge, Firefox, and Chrome browsers, with the last being the world’s most popular web browser. And Mozilla, for its part, has in fact already enabled WebAuthn functionality, while in a statement FIDO and the W3C said that the Chrome and Edge browsers will enable their support ‘over the next few months.’ ”

While WebAuthn is basically just a pipe that connect a capable FIDO client device to a capable FIDO server, which suggests a chicken and egg scenario may exist for a while. Even if Google, Mozilla or Microsoft provide the FIDO client software that connects to WebAuthn there still needs to be a FIDO Authenticator that implements the biometric and of course the web site must be upgraded to support the FIDO Server.

We can hope that Google, Microsoft and Mozilla will get the ball rolling by deploying all of the client components. This would certainly make web sites more likely to deploy the server side, but it will still take some time to determine how quickly adoption will occur. Let’s cross our fingers and hope it’s soon!

Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group

Read the quoted story here

Featured Content