Mozilla has released Firefox 60 with support for a new option to sign in to websites without using a password.
That’s thanks to an emerging W3C standard called Web Authentication or WebAuthn, which is enabled by default in Firefox 60 and is coming later this month to Chrome 67, and Microsoft Edge. It’s also under consideration for Safari.
By removing passwords, the WebAuthn API will make phishing attacks a lot harder and gives users more convenient authentication choices, including hardware security key dongles such as a YubiKey device, fingerprint readers on smartphones, or facial-recognition systems like the iPhone X’s Face ID.
A key advantage, like the FIDO Alliance’s predecessor U2F standard for security keys, is that WebAuthn generates cryptographic public-private pairs for signing in, which means no shared secrets that could be leaked if a site is hacked.
Though the standard is currently only rolling out to desktop browsers, in future mobile browsers are likely to support it too.
Beyond signing into websites, WebAuthn combined with another WC3 standard in development, the Payment Request API, will one day make it possible to authorize online purchases from a mobile browser using a fingerprint.
But as it stands, Firefox for the desktop is the first browser to support WebAuthn. According to Mozilla, WebAuthn currently supports security keys like Yubico when plugged into a USB port, but in future it will enable biometric login from mobile devices following a notification issued by a website, so long as the site too supports WebAuthn.