After years of promising a passwordless future – really, any day now! – FIDO is proposing tweaks to WebAuthn that could put us out of password misery. Experts aren’t so sure.
We all hate passwords, but none of us want to make logging into our accounts a hassle with extra time, steps and devices. That’s why the Fast Identity Online Alliance (FIDO) published a white paper (PDF) on Thursday, outlining different use cases for the adoption of their FIDO2 set of specifications.
At the heart of the matter: proposed WebAuthn changes that will smooth the traditional security-versus-usability trade-off that users face when considering FIDO. While FIDO can deliver better security, users have hoops to jump through, FIDO said, including the need to adopt a security key – for example, the fobs sold by Yubico – as an authentication device.
Unfortunately, if you avoid the ruffling of users’ feathers, you keep them in a tepid state of security, according to the paper: “Many relying parties keep their users in a password-only mode, or at best, offer phishable second factors,” according to FIDO.
It’s proposing the following changes to WebAuthn – the API that makes it easy