In the future, your phone will be your password on the web
- The World Wide Web Consortium (W3C) is working to eliminate the text-based password by using your phone as an authenticator.
- Similar to the two-factor authentication we use today, the W3C password solution would work for any site, as its browser-based, not account-based.
- This W3C password solution is already working with Mozilla Firefox, with more browsers on the way.
The death of the password is a topic that’s been in discussion for years now, but just yesterday I signed up for an account on a site and set up a text-based password. Clearly, as much as the tech world would love to eliminate passwords, they are still going strong.
The World Wide Web Consortium (W3C), the international standards organization for the web founded by Tim Berners-Lee, in conjunction with the FIDO Alliance, has an actual solution in the pipeline. In a recent recommendation, over a dozen members of W3C laid out a plan to use mobile devices as an authenticator for your web-based accounts.
You’re probably thinking, “Don’t we already do this?” Yes, we certainly use our phones for two-factor authentication (like when you receive a text message with a code to enter into a form) and also for hardware-coded authentication (when your phone notifies you that you’ve logged into Gmail from a new location). The difference with this recent W3C password proposal is that this would be browser-based, not account-based, so any site on the web could take advantage of the system.
Here’s how it works:
- You visit a site on your phone and create a new account.
- The phone prompts you, “Do you want to register this device with this site?” You agree to the registration.
- Your phone asks you to authenticate your identity, using your fingerprint/PIN/pattern code. Your account is created.
- Later, you visit the same site on your laptop and click “Sign In.”
- You enter your username, but no password. Instead, your phone beeps.
- You see a prompt along the lines of, “Do you want to sign in to example.com?” You affirm, and once again authenticate your identity using your fingerprint/PIN/pattern.
- The web page on your laptop instantly logs you in. No password necessary.
This makes it seem more complicated than having a password, but it’s more secure by a considerable margin. It also makes it incredibly difficult for identity thieves to gain access to your accounts on multiple sites through the discovery of one single password.
You might be asking, “What if a thief steals my phone?” Hopefully, you have some sort of remote wipe set up on your device, so as soon as your phone gets stolen, you can disable it as an authenticator. If you don’t have this set up yet, you should take care of that ASAP.
Of course, this whole system only works if browsers adopt the technology. Luckily, Mozilla Firefox is already on board, with Google Chrome, Opera, and Microsoft Edge coming soon. Only Apple’s Safari is holding out so far.