Firefox 60's WebAuthn API: No Password Required

In the web browser war, Mozilla is positioning itself to dominate over the competition with its release of Firefox 60, which includes the option of a password-less signin. 

The latest version of the Firefox browser uses a Web Authentication API, WebAuthn for short, which enables authentication using public key cryptography, taking credentials management to a new level. 

The change was driven in large part by Mozilla's desire to attract younger users. Over the course of the last two years, Mozilla has been researching behavior changes in Millennials. “There's a sea change in the world right now,” Jascha Kaykas-Wolff, CMO, Mozilla, said in an interview with ZDNet.  

Mozilla's research found that a large group of Millennials care about the utility of the products they choose to use. The need for creating and constantly changing user passwords has proven to be overwhelming for end users, which brings value to a product that eliminates the need to use a password when signing in to websites. 

“This resolves significant security problems related to phishing, data breaches, and attacks against SMS texts or other second-factor authentication methods while at the same time significantly increasing ease of use (since users don't have to manage dozens of increasingly complicated passwords),” Mozilla wrote. 

WebAuthn works as a supplement to existing APIs already in use on many websites. As many Credential Management APIs do, the Web Authentication API uses both navigator.credentials.create() and navigator.credentials.get() methods to register and log in. A registration process typically has six validation steps, after which the server stores the public key specific to the user's account so that it can be used at the account owner's discretion in the future.

On 8 May, Dropbox programmer Brad Girardeau published a blog post introducing WebAuthn as a new standard for authentication enabling secure – though not password-less – sign in. “It’s a new way to interact with security keys and other 'authenticators' that standardizes and builds on key parts of U2F, the result of a collaboration between the W3C and FIDO Alliance,” Girardeau wrote.

Because the information used in WebAuthn never leaves the security key, it's reportedly much harder to steal. However, Dropbox has no immediate plans of replacing the password. “There are still many security and usability factors to consider in these scenarios before replacing passwords entirely, and we believe that enabling WebAuthn for two-step verification strikes the right balance for most users right now,” wrote Girardeau.