Firefox support for WebAuthn shows passwords the door

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Something important happened in the world of passwords this week – Firefox 60 has become the first browser to support a new standard called Web Authentication (WebAuthn).


Developed as a joint effort by the industry FIDO Alliance and the World Wide Web Consortium (WC3) on the back of Universal Authentication Factor (UAF), WebAuthn is an API which deploys public key encryption to let users log into websites without needing a password.


The point of WebAuthn is to turn today’s flawed authentication model on its head.


That model typically has users authenticating themselves with passwords and, in some cases, a second factor such as a one-time code.


Passwords are widely reused, bad ones are easy to guess, strong ones are hard to remember and all passwords can be stolen by phishing attacks. The one time codes that add so much extra protection are hardly used and can also be phished, although the window of time in which they can be used is very small.


WebAuthn aims to change all of that:
 

RejZoR

Level 15
Verified
Top Poster
Well-known
Nov 26, 2016
699
It's useless on everything but phones where you have facial recognition and finger print scanners. None of which you have on desktop where even if you attach an external device, you have to rely on unsupported mechanisms to even get that basic functionality.

Also, how do you change biometrics when they eventually get stolen? When passwords are stolen from 3rd party, you just change it and you're done. How do you change a fingerprint? Only way I can think of is combining fingerprint with a password to create an unique hash from it which is then used for login and which can be modified while using a fingerprint. I don't know, but it's not as simple as they say it is.

What would work is service like LastPass or Bitwarden becoming a defacto standard and there was some sort of mechanism that auto generates super complex passwords and is operable on any platform with perfect integration. Because what we have now is a mess of things being hacked together to make them work and convenient. But there are always problems. It's gonna take quite a while till we get something truly secure and convenient.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top