BT

Firefox Introduces Web Authentication API

| by Kevin Ball Follow 3 Followers on May 15, 2018. Estimated reading time: 2 minutes |

With the Firefox 60 release on May 9, Firefox became the first major browser to support the Web Authentication API. This API enables users to avoid text-based passwords for websites and instead uses a local device with a biometric check or private PIN to generate a secure cryptographic identifier. Support for the API is in development for Chrome and Edge, and under consideration for Safari.

The specification is coming out of the FIDO Alliance in collaboration with W3C. According to the FIDO Alliance website:

The specifications and certifications from the FIDO Alliance enable an interoperable ecosystem of hardware-, mobile- and biometrics-based authenticators that can be used with many apps and websites. This ecosystem enables enterprises and service providers to deploy strong authentication solutions that reduce reliance on passwords and protect against phishing, man-in-the-middle and replay attacks using stolen passwords.

The Web Authentication API would allow users to sidestep the insecurity and frustration of having to remember passwords for every website in favor of a simple biometric check on a physical device like a phone or USB device. In a blog post, Nick Steele of Duo Security explains what this would look like:

There are more than a few different cases for how WebAuthn would work in practice, but the most common example is this: A user visits a website, let’s say cat-facts.com, on their laptop and goes to register an account. After pressing a button to begin registration on the site, they receive a prompt on their phone saying "Register with cat-facts.com."

Once they’ve accepted the request, the user would be asked to perform an "authorization gesture," such as typing in a PIN or biometric action that is associated with the account they are creating. After providing this, the website on the laptop would display something to the effect of "Registration complete!"

The user can now log in to cat-facts.com using the same phone and authorization gesture.

According to the Chrome tracking bug, the Web Authentication API will be available in Google Chrome version 67 for Desktop, scheduled for release on May 27, 2018. Microsoft Edge supports an earlier version of the API, with differences noted in their developer documentation. There is a polyfill available to support the current version of the API in Edge. As far as Safari is concerned, the status is murky. The Chrome tracker lists the API as under development in Safari, while the webkit feature status lists it as ‘under consideration’.

An article in 9 to 5 Mac speculates on why Apple might be incented to implement the feature:

There’s as yet no word on Safari, but with all current and recent iPhones and iPads offering either Face ID or Touch ID, and the latter supported on the MacBook Pro too, this would be tailor-made for Apple. It cannot be used with other browsers without Apple’s support.

Developers interested in getting started with the Web Authentication API can learn about it in a short tutorial on Google’s developer website or dive into the documentation on MDN.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Educational Content

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT