I have now seen an article about WebAuthn, the latest attempt by techies to replace the password.
Previous attempts have not caught on. Two-factor authentication either involves a losable USB widget (doubly awkward if you have few or no USB sockets on your machine) or your phone (so your logins are bundled together with your PII). Password managers are an attempt to make passwords more secure, but they only strengthen against some kinds of attacks and the managers can themselves be insecure.
Now along comes WebAuthn, which looks at first glance like a cross between the two, with some public-key encryption mixed in:
- The thing you’re trying to log into makes a request of your browser.
- Your browser passes the request to the “authenticator” of your choice, which can be a biometric sensor or 2FA widget.
- The authenticator’s response is passed back to the thing you’re trying to log into, which checks for a match. (This is where the public-key encryption comes in – your scanned fingerprint or whatever is converted into a private key.)
So, no more easily guessable passwords! All you have to do to stay secure is, um, never let anyone take a picture of you. Oh, and never install another browser extension (see below).
I’m not an optimist when it comes to infosec — I’ll leave that to the marketers and technotopians — so I’m going to put the over-under for the first large-scale breach of WebAuthn at two years from now. It might take less if someone screws up their encryption, but barring that, I’d guess that the thing will be broken by spware in a browser extension.
In either scenario, WebAuthn will only be broken for some users… which makes it just as secure as the password.