Passwords are kind of a pain. You probably have sign-in credentials for about a million services, and ideally, they're all different. Password managers can help, but they're often finicky. A new standard by the FIDO Alliance and the World Wide Web Consortium (W3C) called Web Authentication API could simplify your digital life by allowing for password-free sign-ins across a wide variety of websites.
Instead of entering a password, users use their phone's registered unlock method, be it PIN, pattern, or fingerprint. A paper on the project by the W3C is publicly available, if you want to read about it in-depth. It's dense. In a nutshell, when signing in using the new standard, you enter your email address or username and choose a "Sign in with your phone" option. You're then prompted on your phone to complete the sign-in process. The process is a lot like the two-factor authentication you're (hopefully) already using, but without the use of a password.
The W3C explains the user experience like this:
- On a laptop or desktop:
- User navigates to example.com in a browser, sees an option to "Sign in with your phone."
- User chooses this option and gets a message from the browser, "Please complete this action on your phone."
- Next, on their phone:
- User sees a discrete prompt or notification, "Sign in to example.com."
- User selects this prompt / notification.
- User is shown a list of their example.com identities, e.g., "Sign in as Alice / Sign in as Bob."
- User picks an identity, is prompted for an authorization gesture (PIN, biometric, etc.) and provides this.
- Now, back on the laptop:
- Web page shows that the selected user is signed in, and navigates to the signed-in page.
The process might not seem practical for some use cases, but it would be handy for logging in on a computer that isn't yours, like at a library or a computer lab. Engadget reports that the standard "is useful right now" in Mozilla Firefox and is coming "in the next few months" to Chrome and Microsoft Edge.
Chrome 67 is now rolling out on the desktop, with the Web Authentication API included. We'll have a full post about the changes in Chrome 67 once it becomes available for Android.
- World Wide Web Consortium