Mozilla has released Firefox 60, the first browser to support a new API that could pave the way for password-free log ins.
Firefox 60 is the first browser to support the W3C WebAuthn standard, which eventually could allow people to sign in to any online account without a password and diminish the threat of phishing attacks that trick users into revealing a secret.
With mainstream browser support WebAuthn will eventually allow users to sign in to a website using a smartphone’s fingerprint or facial recognition reader via a notification triggered by WebAuthn-supported websites.
The relatively new standard builds upon and is compatible with the Universal 2nd Factor (U2F) technology from the FIDO Alliance, which only allows users to sign in to websites with a Yubikey dongle as a second factor. The drawback is that it is only supported by Google Chrome.
And while U2F has been adopted mostly by enterprise users, WebAuthn is aimed at consumers and has broader browser support, starting with today’s release of Firefox 60. Support from Chrome and Microsoft Edge expected by the end of the year. Apple Safari support for WebAuthn is under consideration and several WebKit developers are on the standard’s working group.
While the long term promise of WebAuthn is a password-free log in, the reality today is that WebAuthn providers broader support across desktop browsers for two-factor authentication.
File-sync service Dropbox this week switched on support for WebAuthn. Since it previously enabled two-factor authentication from Chrome using U2F, it now means Firefox users can also use a Yubikey security key as a second factor. Dropbox users who’ve previously registered a Yubikey with U2F can use WebAuthn or register new keys with WebAuthn.
Mozilla notes in its announcement that Firefox users can use a security key to log into their accounts without typing a password, though this depends on support from the website. Otherwise, the security key can serve as a second factor.
Firefox however will eventually support fingerprint and facial recognition from smartphones. Microsoft’s Edge support for WebAuthn will focus on using Windows Hello biometrics for authentication, either as a second factor or for a password-free log in.
According to Google security engineer Adam Langley, WebAuthn is “significantly more capable” than U2F but also much more complex.