Firefox support for WebAuthn shows passwords the door

[LASER_oneXM]

Content source

https://nakedsecurity.sophos.com/2018/05/11/firefox-support-for-webauthn-shows-passwords-the-door/

Something important happened in the world of passwords this week – Firefox 60 has become the first browser to support a new standard called Web Authentication (WebAuthn).


Developed as a joint effort by the industry FIDO Alliance and the World Wide Web Consortium (WC3) on the back of Universal Authentication Factor (UAF), WebAuthn is an API which deploys public key encryption to let users log into websites without needing a password.


The point of WebAuthn is to turn today’s flawed authentication model on its head.


That model typically has users authenticating themselves with passwords and, in some cases, a second factor such as a one-time code.


Passwords are widely reused, bad ones are easy to guess, strong ones are hard to remember and all passwords can be stolen by phishing attacks. The one time codes that add so much extra protection are hardly used and can also be phished, although the window of time in which they can be used is very small.


WebAuthn aims to change all of that:

 

[RejZoR]

It's useless on everything but phones where you have facial recognition and finger print scanners. None of which you have on desktop where even if you attach an external device, you have to rely on unsupported mechanisms to even get that basic functionality.

Also, how do you change biometrics when they eventually get stolen? When passwords are stolen from 3rd party, you just change it and you're done. How do you change a fingerprint? Only way I can think of is combining fingerprint with a password to create an unique hash from it which is then used for login and which can be modified while using a fingerprint. I don't know, but it's not as simple as they say it is.

What would work is service like LastPass or Bitwarden becoming a defacto standard and there was some sort of mechanism that auto generates super complex passwords and is operable on any platform with perfect integration. Because what we have now is a mess of things being hacked together to make them work and convenient. But there are always problems. It's gonna take quite a while till we get something truly secure and convenient.