What “WebAuthn” Is and How It Might Replace Passwords

Are you not a fan of passwords? Perhaps you find it tricky to remember them all, or you dislike the idea that every site is one data breach away from leaking your login information onto the Internet. Recently, there’s been a development in WebAuthn that may make logging onto websites much easier. If successful, this new standard may be a great backup second authentication method or even take over passwords entirely!

What Is “WebAuthn”?


Have you ever used a phone or laptop that had the capability to scan a fingerprint? You can use the scanner to replace the password login for your device, so you don’t have to type anything. In a way, WebAuthn is like that, only to log into websites instead of a device.

Let’s say you want to log onto a website. It supports WebAuthn as a verification method, so you decide to use it. When you go to sign up, you can add WebAuthn credentials to the account. These credentials can range from a PIN, to a biometric scan (such as a fingerprint), to a USB key dongle.

Despite the fact this technology is very new, there are already a few ways you can validate yourself via WebAuthn. Yubikey is compatible with WebAuthn, so you can use it to validate yourself by plugging it into a USB port when signing up. If you own a phone with a biometric scan, you could use that as your validation device when logging onto sites.

Once you’ve registered a device with the site, you can then use your designated login method in the future. For instance, if you used the mobile phone example above, you’ll go to the login page of the site, and your phone will ask you for your biometric scan to confirm who you are.

WebAuthn can be used in conjunction with a regular password as part of two-factor authorisation, but if this technology takes off, there’s nothing to say it can’t become the primary method of logging on and replacing passwords altogether.

How Does It Beat Passwords?


The main forte of using WebAuthn to log on is that it shuts down phishing attempts. Users can have their passwords stolen by fake websites and scam emails, but this isn’t the case with WebAuthn. Biometric scans, for instance, are much harder to “steal” than a password.

Due to how WebAuthn works, websites that use WebAuthn don’t see any of the data used to verify the user; they just see a confirmation¬† that the user is who they say they are. This means people can’t harvest sensitive data (such as biometric scans) from a WebAuthn login process and use it to impersonate others.

Will It Replace Passwords?


WebAuthn has the potential to fully replace passwords, but it’s definitely not a guarantee, nor something that will happen overnight. The reason WebAuthn has hit the news lately is because the technology is reaching the final stages of finalization. Firefox and Chrome both support WebAuthn, which means that websites can now use this technology if they wish.

This is the phase where public interest comes into play. If developers think WebAuthn is a waste of time, especially the ones doing work for the big sites such as Amazon, it won’t be implemented, and WebAuthn will die out. Similarly, if it is implemented and nobody uses it, it may not gain enough traction to stay relevant. Even if it’s implemented and well used, it may take some time before it fully replaces passwords.

Open Sesame

With so many phishing attacks and database leaks in the modern day, a change of security measures might be a breath of fresh air. WebAuthn may be that revolution by either acting as a second wall of security or even replacing passwords altogether!

Do you want WebAuthn to take over for the traditional password? Or is it too much hassle? Let us know below!

Simon Batt
Simon Batt

Simon Batt is a Computer Science graduate with a passion for cybersecurity.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox