My Thoughts on Technology and Jamaica: How Mozilla Firefox Quantum support for WebAuthn and USB-based security keys kills passwords

Sunday, May 13, 2018

How Mozilla Firefox Quantum support for WebAuthn and USB-based security keys kills passwords


“WebAuthn is a set of anti-phishing rules that uses a sophisticated level of authenticators and cryptography to protect user accounts. It supports various authenticators, such as physical security keys today, and in the future mobile phones, or biometric mechanisms such as face recognition or fingerprints.”

Mozilla explains Firefox “Quantum,” version 60.0 support for Web Authentication standard and USB-based security keys

Finally, a browser is jump-starting the password-free logins concept on the Internet!!

Firefox “Quantum,” version 60.0 is rolling out support for Web Authentication standard and USB-based security keys as reported in “Firefox 60 is the first browser to support password-free internet logins”, published May 11 2018 by Kevin Parrish, Digitaltrends.

Google Logo

USB-based security keys such as Yubico’s YubiKey ar a part of that mix. Yubico offers standard YubiKeys USB-A and USB-C models that remain plugged into your PC (full-size or nano). Their “Neo” models are key-chain danglers that use USB-A and NFC connectivity for PCs and Android phones. Their “FIPS” models are for government and regulated industries, so options abound for every type of customer.

Now with Firefox support, a web-based account using a one-time registration token enables your YubiKey USB Key, eliminating the need to enter a password as long as it's plugged in.  With support for face recognition and fingerprint scanning in the pipeline, you may only need to have clean digits or look you best to access you computer!!!

Yubico are physical USB keys that replace typing in passwords. So how does Web Authentication work, exactly?

WebAuthn - E2EE encryption between a Browser to a Server

The alternative, WebAuthn (Web Authentication), is equally interesting.

WebAuthn uses encrypted public and private keys; there are no passwords stored in a website’s database. Even more interesting there are no passwords for hackers to scoop on a compromised website. This is because no data is transmitted from your PC to the website.

Google Logo

WebAuthn stores your login and password credential in an encrypted form and await instructions from the user, also encrypted, to access a password protected website. This way no password data is being passed from data passed from your PC to the website; only instructions to the server to authenticate you on the website you are logging into using encrypted public and private keys.

Effectively, this is E2EE encryption between a Browser to a Server and then to the website you are logging into.

WebAuthn goal is to authenticate account owners using biometrics i.e. face or fingerprint. This is harder to hack than letters, numbers and characters hackers could eventually discover. This may mean you will have to soon invest in a fingerprint scanner and a web camera. But if web security is important to you, then this should not be a problem.

So when do you start using this? And what about Google Chrome and Microsoft Edge Browsers?

Google Chrome and Microsoft Edge Browsers - Break from centuries old passwords

WebAuthn is in its early rollout stages and currently only supports desktop web browsers.

Eventually WebAuthn will support smartphones, giving a boost and possibly replacing Two-step authentication long used by developers and companies. Chrome 67 will reportedly offer support later this month, followed by Microsoft Edge, so if you’re a fan of those browsers, you don't have long to wait!!!
Google Logo
The latest Firefox release provides other noteworthy features as well:

1.      A wider layout on new tabs
2.      A larger Top Sites menu sporting eight icons
3.      Larger Highlights icons.
4.      The Pocket’s recommendation section now displays an occasional sponsored story as well

Mozilla claims their Pocket product isn't selling associated sponsors your browsing history and making recommendations based on that data as Facebook was doing as noted in my blog article entitled “How the Facebook Data Scandal involving Cambridge Analytica is a Storm in a Teacup”.

Enterprise customer planning on deploying Mozilla 60 can now enjoy:

1.      IT to customize the browser for the office
2.      Rapid Release build that auto-updates roughly every six weeks
3.      Extended Support Release that updates once per year

Customization can be performed using the Group Policy tool on Windows, or through a JSON file supporting Mac, Linux, and Windows.

Still, the Web Authentication standard and USB-based security keys is a Quantum leap forward and represent the future where E2EE and authentication using biometrics replaces centuries old passwords!!!

No comments: