People hate passwords. That's why so many people use the same basic password across multiple websites—and that in turn is why so many data breaches reach much further than most would expect. It's just not secure to use simple passwords, reuse passwords across multiple services, or share passwords with other people. Web Authentication attempts to offer the best of both worlds by letting people abandon passwords for more convenient and secure options, and now that it's supported by Microsoft Edge, the specification will continue to expand.
Web Authentication lets people use facial recognition, fingerprint scanners, FIDO2 devices and PINs instead of passwords. All of these mechanisms have trade offs—facial recognition and fingerprint scanning can be fooled, and FIDO2 devices require you to carry an extra gadget around—but they can still be considered more convenient than memorizing and entering secure passwords. Most people won't remember something like "iH%#xP2v3Ab%R!n," and even if they do, who wants to type that? If one isn't willing to use a password manager, secure passwords can be wildly inconvenient.
Microsoft thinks passwords need to go the way of the dodo. Here's what the company said in a blog post this week about supporting Web Authentication:
"Staying secure on the web is more important than ever. We trust web sites to process credit card numbers, save addresses and personal information and even to handle sensitive records like medical information. All this data is protected by an ancient security model—the password. But passwords are difficult to remember and are fundamentally insecure—often re-used and vulnerable to phishing and cracking."
The company also said Edge's implementation of Web Authentication "provides the most complete support for Web Authentication to date, with support for a wider variety of authenticators than other browsers." That's because it supports Windows Hello, which already lets Windows 10 users access their devices via facial recognition or fingerprint scanning, as well as the more standard FIDO2 devices. (Not everyone wants to evangelize Windows Hello. Apple probably doesn't care to support it with Safari, for example. But FIDO2 devices are platform agnostic.)
Microsoft likely wanted to blow its own horn regarding Edge's support for Web Authentication because it's actually a beat behind Google and Mozilla. The former added beta support for Web Authentication to Chrome in May, and the latter did the same with Firefox that same month. But it's still good that Microsoft is adding support for Web Authentication to Edge, not just because Edge users should be afforded the same options as their Chrome and Firefox-using counterparts, but also because it means the call to enable people to abandon passwords will continue to grow.
Web Authentication support is currently available in the version of Edge shipping with Windows Insider Preview Build 17723.
