Although Google’s Chrome browser already enabled “password-free” logins by supporting the FIDO (Fast IDentity Online) U2F standard, the latest desktop version hitting the stable channel this week, Chrome 67, now includes support for the new WebAuthn standard. But don’t worry: If you previously used physical security keys to log into Facebook and Google, they won’t need a replacement given WebAuthn is backward compatible.
If you’re not sure as to what all this means, websites, browser developers, device manufacturers, and the FIDO Alliance have been working together to eliminate passwords since 2014. The platform relies on cryptographic keys thus login credentials are never stored on your device or on the servers hosting your favorite service.
The first FIDO standard arrived in December 2014 followed by FIDO U2F in June 2015 andFIDO2 in April 2018. The first two standards rely on secondary devices, like Yubico’s Security Key and YubiKey NEO USB-based devices, to create these cryptographic keys. Other supported technologies include Bluetooth, Near Field Communication (NFC), and biometrics. The alliance began working with the World Wide Web Consortium to create a client-side standard called WebAuthn in early 2016.
The idea behind WebAuthn is to bring the cryptographic key creation and exchange directly to the browser. Prior to WebAuthn support, logins rely on passwords even though you don’t need to enter credentials each time you log onto a service: Physical security keys and biomeetric devices merely “authenticate” those credentials. But with WebAuthn support in place, you sign into an account only with a username: No password is required.
“In many cases, this single factor authentication is more secure than other forms of two-factor authentication (such as SMS), as there are no secrets that can be phished remotely,” a representative from Yubico told Digital Trends. “WebAuthn has also been blessed by the W3C, which means that all major web browsers are engaged to add support.”
Based on the current demo, you still need some form of physical “security token” like Yubico’s products or hardware supporting facial recognition and fingerprint scanning. As the demo shows, you can create an account without the need to submit a password, but the demo requires access to a physical key or connected biometric device. WebAuthn will eventually support biometrics on mobile devices, too.
The big takeaway here is that a password-free internet is becoming more mainstream. This method protects WebAuthn-compliant accounts from server-side hacks, on-device malware, and hackers tapping into your internet connection. Firefox 60 introduced WebAdmn support in early Maywhile the mainstream version of Microsoft Edge will include support in the next several months.
Outside the new WebAuthn component, Chrome 67 includes a new Generic Sensor application programming interface (API). This enables the browser to support accelerometers, gyroscopes, orientation and motion sensors in web-based applications. For instance, a web app within Chrome can now detect movement speed if the parent device contains an accelerometer.
Chrome 67 also now includes the WebXR Device API (aka web extended reality). According to Google, this feature will provide unified augmented and virtual reality experiences across desktop and mobile spanning from the smartphone-based Samsung Gear VR to the HTC Vive and Windows Mixed Reality headsets. The new API is available as an “origin trial,” Google states, and supports home shopping, art, immersive 360-degree videos, data visualization, traditional 2D and 3D videos presented in immersive surroundings, and games.
Other features in the latest version of Chrome include the ability for web pages to process mouse events to disable the back and forward mouse buttons in web-based games. On Windows, the right-hand ALT key now serves as AltGraph on some layouts. The list goes on regarding SVG, DOM, custom elements in HTML, and more developer-centric details.