Skip to content
Naked Security Naked Security

Firefox support for WebAuthn shows passwords the door

Passwords aren't dead, yet.

Something important happened in the world of passwords this week – Firefox 60 has become the first browser to support a new standard called Web Authentication (WebAuthn).
Developed as a joint effort by the industry FIDO Alliance and the World Wide Web Consortium (WC3) on the back of Universal Authentication Factor (UAF), WebAuthn is an API which deploys public key encryption to let users log into websites without needing a password.
The point of WebAuthn is to turn today’s flawed authentication model on its head.
That model typically has users authenticating themselves with passwords and, in some cases, a second factor such as a one-time code.
Passwords are widely reused, bad ones are easy to guess, strong ones are hard to remember and all passwords can be stolen by phishing attacks. The one time codes that add so much extra protection are hardly used and can also be phished, although the window of time in which they can be used is very small.
WebAuthn aims to change all of that:

Firefox 60 will ship with the WebAuthn API enabled by default, providing two-factor authentication built on public-key cryptography immune to phishing as we know it today.

For now WebAuthn relies on hardware keys, like YubiKeys, either on their own or alongside passwords. In future it could utilise any number of authentication methods including Windows Hello, face or fingerprint ID, or even a PIN terminal.
Once a user has authenticated at their end, no credentials leave their device – all a website sees is confirmation that authentication was successful – so there is nothing to steal.

By relegating passwords, at a stroke WebAuthn also reduces the negative impact of password re-use, which engineers are still trying to figure out how to stop.
How long might WebAuthn take to establish itself?
The short answer is don’t throw away your passwords just yet. Support has started in browsers which, in addition to Firefox, will soon include Chrome and Edge. (Apple’s intentions for Safari are less clear).
Next will be mobile devices, which in the case of Android will take longer because the architecture for storing credentials securely, on which WebAuthn hinges, is still evolving.
WebAuthn must of course be supported by the big websites – Google, Facebook and Microsoft are keen while Dropbox is already there, but even the latter’s enthusiasm is qualified:

There are still many security and usability factors to consider in these scenarios before replacing passwords entirely, and we believe that enabling WebAuthn for two-step verification strikes the right balance for most users right now.

What Dropbox seems to be saying is that no matter how good an idea, WebAuthn still requires users to start using security mechanisms such as biometrics or tokens for passwords to be retired.
You don’t have to be an outright pessimist to think that might take years.
A side issue is where WebAuthn leaves users who’ve already invested in hardware tokens prior to new FIDO2 WebAuthn tokens appearing last month.
As far as we can tell, older U2F tokens (which lack the number ‘2’ on the front) are backwards compatible with WebAuthn, the only limitation being that they won’t support the Client to Authenticator Protocol (CTAP) used in a few scenarios when one device (the hardware token) is authenticating another (a phone).


It would be real nice if this was adopted quickly. In my experience, I believe that quick adoption will rely on a lot of key certifications and audits requiring it, which will prompt company leaders to enforce adoption across the enterprise, which is generally enough to ensure widespread adoption, as long as the requirement is not too obscurely written.


I do not like the concept of one identity for me, I have multiple identities. I have my software identity, my photo identity, my gaming identity (I don’t want people to judge my software by my bad gaming abilities), my political identity (I don’t mix politics and work). I have 4 Microsoft accounts, 3 google accounts 4 facebook accounts (well my Iguana has an account that I update for him). I suspect many other people are the same. We will not use a single identity source because we are human and we have different moods and desires at different times.


So when one, or more, of these places get “hacked”, or they let the info get out, our fingerprints and faces will be out there to be had by the highest bidders…do not say it will never happen. Look at Experian and the hundreds of millions of social security numbers now in the wind and being sold to those highest bidders. NOTHING is safe on the Internet. Every site can be hacked, even government sites…and let’s be honest here, the government would just love to have our fingerprints and faces in their very private files (at least the ones they do not already have).


@GGma: Clearly you need to read deeper about how this works. Your fingerprint data, face data, etc. are never sent to the server you’re connecting to. They’re used ON and BY the device you’re using to authenticate your identity. The authentication to the server you’re logging in to is done through public key cryptography. Uninformed comments like yours serve only to scare people away from more quickly adopting a technology which is actively trying to SOLVE the exact worry that you suggested.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!