WebAuthn Standardization Pushes Passwords Toward Obsolescence

WebAuthn Logo

The WebAuthn specification component of FIDO Alliance’s FIDO2 proposed standards should now begin to become much more commonplace online following an announcement from the World Wide Web Consortium (W3C) and FIDO Alliance revealing that the specification is an official web standard. Summarily, that means that wider support for web service and app login via biometrics, mobile device, or FIDO security keys should be imminent, as opposed to just password logins.

Between FIDO2 and WebAuthn, the new standard brings a wealth of improvements over older login methods ranging from security to convenience with a strong focus on protecting user credentials compared to passwords.

Citing a study conducted by Verizon Enterprise Solutions in 2017, W3C and the FIDO alliance note that weak passwords — whether default or user-created — are responsible for as many as 81-percent of data breaches. Another study by Yubico estimates that $5.2 million is wasted on password resets per year and users spend around 10.9-hours per year going through that process.


The new standards address that resource drain. For starters, FIDO2 enables cryptographic login credentials that are unique across every site, while biometrics and passwords don’t leave an end-users device, eliminating the need to store them on a server for bad actors to steal.  The unique nature of FIDO keys also means they can’t be used to track a user across various sites.

An API call is all that’s needed to implement the new standards on a site, letting users log in via the standards using biometrics, including camera-based biometrics, FIDO security keys, or their personal mobile device. Along those same lines, a new FIDO certification program has been launched to make the process even easier for developers and vendors.

Chrome and Android already support the standards


Traditionally, logging securely into a website or service using Android or Chrome OS has required either a traditional password or two-factor authentication. The former of those has become increasingly insecure as highlighted above and the latter isn’t necessarily fool-proof either. SMS-based authentication, in particular, has proven vulnerable to spoofing attacks and other cyber attacks.

Now, aspects of FIDO2 and WebAuthn have already been in place in Chrome since version 70. Android devices operating on version Android 7.0 Nougat or newer have been certified with FIDO2 since the end of last month, pending an update to Google Play Services for older handsets.

So what does this standardization really do?


Both of Android and Chrome implementations were, at their most basic, software-level fixes. Effectively, they didn’t amount to much on their own, except where the use of the specifications was in place. That’s particularly true since the use of the specifications wasn’t necessarily going to be widespread, with support limited by platform.

That is where standardization of the FIDO Alliance standards takes action, since its standardization, complete with a dedicated API and certification program means that more web developers and vendors should begin to make use of the authentication methods.

Where implemented, Android users with a fingerprint reader or high-accuracy facial recognition features should be able to use that to log into a website or service instead of a password, making things more convenient and more secure.


Chrome OS devices may eventually begin to receive those types of hardware features outside of a few anomalous devices such as Google’s Pixel Slate and its fingerprint scanner. Users can already utilize Chrome’s Better Together features to keep a device unlocked with a mobile device without a fingerprint reader but that still requires an initial login with a password.

With the new standardization, more robust login could be more feasible. Hardware-based authentication using FIDO keys or face scanning would be supported as well, where applicable, widening the scope of exactly how users can log in across the board without relying on passwords.