Firefox Takes Major Leap Toward Killing Passwords with WebAuthn Tech


Web browsers are moving into an era when users will no longer be required to enter passwords to log into websites.

With Mozilla’s release of Firefox 60, the new browser supports a technology called WebAuthn (Web Authentication) that enables users to access websites with a physical authentication key like a YubiKey dongle, biometric identity scans that are commonplace on Android phones’ fingerprint readers or the iPhone’s Face ID.

Passwords have long been a vulnerable target for cybercriminals who routinely engage in phishing scams to farm credentials from unsuspecting users. Good password practices include using strong, hard-to-guess passwords that are never duplicated on other websites – a feat that’s easier in theory. While the post-password future could be a long way away, the rollout of WebAuthn in a popular browser like Firefox makes for an important step toward that end.

“It might be that, in a few years time, a significant number of people have a passwordless experience with at least one site that they use regularly. That’ll be exciting,” Google security expert Adam Langley said in a March blog post.

Mozilla is the first major browser to support WebAuthn and Google’s popular browser, Chrome, is set to rollout its own upgrade with the next version of its browser due to support WebAuthn this month.

“Essentially, WebAuthn is a set of anti-phishing rules that uses a sophisticated level of authenticators and cryptography to protect user accounts. It supports various authenticators, such as physical security keys today, and in the future mobile phones, or biometric mechanisms such as face recognition or fingerprints,” Mozilla explained while making its announcement on the release of its latest browser supporting the technology.

Data-sync and cloud service giant Dropbox also announced its support for WebAuthn, stating in a post yesterday:

As a user, you’ll enjoy much stronger sign in security on more browsers. Unlike passwords, the secrets used in WebAuthn never leave your security key, so they are significantly harder to steal. And before using a secret to authenticate to Dropbox, the security key checks that you are signing in to the right place. You can feel confident when signing in that it’s really us, and we can be confident it’s really you.

Image credit: LIFARS archive.