“WebAuthn
is a set of anti-phishing rules that uses a sophisticated level of
authenticators and cryptography to protect user accounts. It supports various authenticators,
such as physical security keys today, and in the future mobile phones, or
biometric mechanisms such as face recognition or fingerprints.”
Mozilla explains
Firefox “Quantum,” version 60.0 support for Web Authentication standard and
USB-based security keys
Finally,
a browser is jump-starting the password-free logins concept on the Internet!!
Firefox
“Quantum,” version 60.0 is rolling out support for Web Authentication standard
and USB-based security keys as reported in “Firefox
60 is the first browser to support password-free internet logins”,
published May 11 2018 by Kevin Parrish, Digitaltrends.
USB-based
security keys such as Yubico’s YubiKey ar a part of that mix. Yubico offers standard YubiKeys USB-A
and USB-C models that remain plugged into your PC (full-size or nano). Their
“Neo” models are key-chain danglers that use USB-A and NFC connectivity for PCs
and Android phones. Their “FIPS” models are for government and regulated
industries, so options abound for every type of customer.
Now
with Firefox support, a web-based account using a one-time registration token
enables your YubiKey USB Key, eliminating the need to enter a password as long
as it's plugged in. With support for
face recognition and fingerprint scanning in the pipeline, you may only need to
have clean digits or look you best to access you computer!!!
Yubico
are physical USB keys that replace typing in passwords. So how does Web
Authentication work, exactly?
WebAuthn - E2EE
encryption between a Browser to a Server
The
alternative, WebAuthn (Web Authentication), is equally interesting.
WebAuthn
uses encrypted public and private keys; there are no passwords stored in a
website’s database. Even more interesting there are no passwords for hackers to
scoop on a compromised website. This is because no data is transmitted from
your PC to the website.
WebAuthn
stores your login and password credential in an encrypted form and await
instructions from the user, also encrypted, to access a password protected
website. This way no password data is being passed from data passed from your
PC to the website; only instructions to the server to authenticate you on the
website you are logging into using encrypted public and private keys.
Effectively,
this is E2EE encryption between a Browser to a Server and then to the website
you are logging into.
WebAuthn
goal is to authenticate account owners using biometrics i.e. face or
fingerprint. This is harder to hack than letters, numbers and characters
hackers could eventually discover. This may mean you will have to soon invest
in a fingerprint scanner and a web camera. But if web security is important to
you, then this should not be a problem.
So
when do you start using this? And what about Google Chrome and Microsoft Edge
Browsers?
Google Chrome and
Microsoft Edge Browsers - Break from centuries old passwords
WebAuthn
is in its early rollout stages and currently only supports desktop web
browsers.
Eventually
WebAuthn will support smartphones, giving a boost and possibly replacing
Two-step authentication long used by developers and companies. Chrome 67 will
reportedly offer support later this month, followed by Microsoft Edge, so if
you’re a fan of those browsers, you don't have long to wait!!!
The
latest Firefox release provides other noteworthy features as well:
1. A
wider layout on new tabs
2. A
larger Top Sites menu sporting eight icons
3. Larger
Highlights icons.
4. The
Pocket’s recommendation section now displays an occasional sponsored story as
well
Mozilla
claims their Pocket product isn't selling associated sponsors your browsing
history and making recommendations based on that data as Facebook was doing as
noted in my blog
article entitled “How
the Facebook Data Scandal involving Cambridge Analytica is a Storm in a Teacup”.
Enterprise
customer planning on deploying Mozilla 60 can now enjoy:
1. IT
to customize the browser for the office
2. Rapid
Release build that auto-updates roughly every six weeks
3. Extended
Support Release that updates once per year
Customization
can be performed using the Group Policy tool on Windows, or through a JSON file
supporting Mac, Linux, and Windows.
Still,
the Web Authentication standard and USB-based security keys is a Quantum leap
forward and represent the future where E2EE and authentication using biometrics
replaces centuries old passwords!!!
No comments:
Post a Comment