Microsoft Edge now supports the Web Authentication specification for password-free logins. Support actually appeared in Build 17723 for Windows Insider Fast Ring participants and Build 18204 in the Skip Ahead program last week, but Microsoft didn’t mention the feature until this week’s report.
Already supported in Firefox and Google Chrome, it’s a means for signing into websites without the need for using a password. Once you create an account or set up two-factor authentication, it creates two encrypted tokens, one that resides on the website end (public) and one that resides on your end of the connection (private).
Thus, when you attempt to log into the account, the site sends a request for your private token. To do this, you would simply scan your finger, enter a PIN number, scan your face, or touch a USB-based security key like those sold by Yubico.
The big deal with Web Authentication is that there’s no stand-alone software installed on your PC that handles the private key. Instead, the exchange is handled by Microsoft Edge and a supporting website, thus there is nothing to hack to retrieve stored passwords. And in the case of Microsoft Edge, your password-free logins are tied into Windows Hello.
If you’re not familiar with Windows Hello, it’s Microsoft’s password-free platform for Windows 10. It supports fingerprint scanners and facial recognition — if your PC has the hardware — along with PIN numbers. For instance, all you need to do is look at the screen to log onto Windows 10 rather than type credentials on a keyboard if your PC supports facial recognition. Using Microsoft Edge, Windows 10 extends that capability to supporting websites.
“For websites that are not ready to move to a completely passwordless model, backwards compatibility with FIDO U2F devices can provide a strong second factor in addition to a password,” the company says. “We’re working with industry partners on lighting up the first passwordless experiences around the web.”
U2F stands for Universal 2nd Factor, an open-source authentication standard initially started by Google and Yubico along with NXP Semiconductors. It’s now maintained by the FIDO Alliance, a consortium that includes not only Google, Yubico and NXP, but also American Express, Bank of America, Intel, Lenovo, MasterCard, Microsoft, Qualcomm, Samsung, and many others.
Web Authentication, maintained by the World Wide Web Consortium (W3C), is a component that’s baked directly into web browsers and supports the U2F standard. If the website supports Web Authentication, then you won’t need a security code sent to you via SMS, nor will you need an app to grant access if you have two-factor authentication enabled. Even more, you won’t need to maintain a volume of different passwords but simply provide a face or a finger.
“We started this journey in 2016, when we shipped the industry’s first preview implementation of the Web Authentication API in Microsoft Edge,” Microsoft says. “Since then, we have been updating our implementation too as we worked with other vendors and the FIDO alliance to develop the standard.”
Passwords are an ancient technology, Microsoft says.
