Microsoft is doing its bit for the industry-wide push for the Web Authentication specification that could help kill passwords on the web.
Microsoft Edge, though not as popular as Chrome or Firefox, has made progress on its side of the push for a web without passwords.
“With Web Authentication, Microsoft Edge users can sign in with their face, fingerprint, PIN, or portable FIDO2 devices, leveraging strong public-key credentials instead of passwords,” Microsoft announced.
As Microsoft rightly points out, today’s websites are trusted to handle all manner of personally identifiable information, from credit card numbers, addresses and even medical records. The frequency of password beaches, password re-use, phishing, and inconsistent and confusing password rules hardly make it the ideal way to protect sensitive information online.
WebAuthn, the W3C standard in-the-making, could be the answer to this problem so long as lots of relevant websites get on board with the program too and support having biometrics stored on phones or security keys —such as YubiCo’s Yuibikey or Google’s new Titan key — offering an alternative to typing in a password.
The relatively new standard builds upon and is compatible with the Universal 2nd Factor (U2F) technology from the FIDO Alliance, which only allows users to sign in to websites with a Yubikey dongle as a second factor. The drawback is that it is only supported by Google Chrome.
Shortly after Firefox supported WebAuthn, Dropbox switched on support for WebAuthn. Since it previously enabled two-factor authentication from Chrome using U2F, Firefox users could also use a Yubikey security key as a second factor.
And while U2F has been adopted mostly by enterprise users, WebAuthn is aimed at consumers and has broader browser support, which started with Firefox 60, followed in Chrome 67 and was expected by Microsoft Edge. Apple Safari support for WebAuthn is under consideration and several WebKit developers are on the standard’s working group.
Microsoft will be introducing its WebAuthn implementation in the next version of Windows 10 due out around October and is part of the Windows 10 Insider Preview Build 17723 (Redstone 5), released last week.
As Firefox currently only supports security keys, Microsoft highlights that it currently has the broadest support available — albeit in a preview version of Windows 10 for Windows Hello users.
The W3C announced in March that WebAuthn had, with support of the FIDO Alliance, reached Candidate Recommendation (CR) as a specification, meaning it was well along to becoming an official specification.
“Microsoft Edge supports the CR version of Web Authentication. Our implementation provides the most complete support for Web Authentication to date, with support for a wider variety of authenticators than other browsers,” said Microsoft.
"Windows Hello allows users to authenticate without a password on any Windows 10 device, using biometrics—face and fingerprint recognition—or a PIN number to sign in to web sites. With Windows Hello face recognition, users can log in to sites that support Web Authentication in seconds, with just a glance.”