What happened?

Last week, a security technique that can replace the use of passwords on the Web was launched, called WebAuthn. Users can identify via biometrics (finger or facial scan), or a hardware key whereby the user can tap on a button to prove that they are physically present at the computer communicating with a given website. This technology can physically validate a user’s identity without uploading the provided data during the login process and without storing it on the user’s device.  Microsoft, Mozilla, and Google have committed to support this new technique in their Edge, Firefox, and Chrome browsers.

What does this mean?

This new technique promises to end phishing attacks, man-in-the-middle, the use of stolen credentials (there will be none) and to provide greater convenience for the end user. Remote virtual attacks are expected to be very difficult, transforming cybercrime into actually breaking into a house and stealing a phone or extracting a pin-code by means of (threatening with) physical violence. The transition towards this new way of entering (private) data online is expected to go rather naturally because many people are already using fingers or faces to unlock their smartphones. Furthermore, most devices are able to scan fingers and faces or have USB portals, which makes it easy to implement on a practical level as well.

What’s next?

Aside from the user-friendly aspect, the mission of the creators is to ensure that the Web remains open, accessible, and interoperable for everyone around the globe, as well as creating a more user-friendly way to enter the Web. Will this indeed be a turning point for the confidence of users in the safety of their private data? Many questions remain unanswered, for example: could governments, who have stored fingerprints and (3D) images of our faces, potentially have access to our private online data? To what extent can this technique distinguish between real fingers and faces and copies?