Remembering increasingly complex passwords is difficult and writing them down is not always the best idea. Enter the WebAuthn standard, built by W3C and FIDO Alliance, to eliminate the need for password-based authentication.
After more than two years of development, major browsers are bringing support for WebAuthn. Mozilla Firefox now supports the standard. Google Chrome and Microsoft Edge will be adding support over the next few months. There has been no official commitment from Apple to implement the standard in Safari, though support is expected since Apple is a part of the W3C group working on the standard.
Biometric credentials and hardware tokens will be able to completely replace or supplant traditional passwords. Facial recognition, fingerprint readers, iris scanning, and voice analysis could all be used to verify the identity of a user.
One of the key considerations in promoting widespread adoption is making WebAuthn easy for small businesses and websites to implement. Readily available libraries will help make it easy for anyone to move away from password-based login forms and switch to biometric or hardware-based authentication methods.
During the authentication process, there is no single validation string that will grant access to a user. A zero-knowledge proof allows a website to identify that a user is the proper person without transmitting any information that would be harmful if intercepted. Firefox's implementation below outlines the process.
Phishing is still a problem for organizations that hold sensitive data. The use of the FIDO standard almost completely eliminates the threat of spear-phishing attacks. Notice that no personal or sensitive information is transmitted during the authentication process.
Without the need to share any information with websites that could be used for malicious purposes, there is no way for conventional phishing attacks to work. However, theft of hardware keys can still pose a threat for those without strong alternative methods of two-factor authentication.