Passwords are kind of a pain. You probably have sign-in credentials for about a million services, and ideally, they're all different. Password managers can help, but they're often finicky. A new standard by the FIDO Alliance and the World Wide Web Consortium (W3C) called Web Authentication API could simplify your digital life by allowing for password-free sign-ins across a wide variety of websites.
Instead of entering a password, users use their phone's registered unlock method, be it PIN, pattern, or fingerprint. A paper on the project by the W3C is publicly available, if you want to read about it in-depth. It's dense. In a nutshell, when signing in using the new standard, you enter your email address or username and choose a "Sign in with your phone" option. You're then prompted on your phone to complete the sign-in process. The process is a lot like the two-factor authentication you're (hopefully) already using, but without the use of a password.
The W3C explains the user experience like this:
- On a laptop or desktop:
- User navigates to example.com in a browser, sees an option to "Sign in with your phone."
- User chooses this option and gets a message from the browser, "Please complete this action on your phone."
- Next, on their phone:
- User sees a discrete prompt or notification, "Sign in to example.com."
- User selects this prompt / notification.
- User is shown a list of their example.com identities, e.g., "Sign in as Alice / Sign in as Bob."
- User picks an identity, is prompted for an authorization gesture (PIN, biometric, etc.) and provides this.
- Now, back on the laptop:
- Web page shows that the selected user is signed in, and navigates to the signed-in page.
The process might not seem practical for some use cases, but it would be handy for logging in on a computer that isn't yours, like at a library or a computer lab. Engadget reports that the standard "is useful right now" in Mozilla Firefox and is coming "in the next few months" to Chrome and Microsoft Edge.
- World Wide Web Consortium