WebAuthn is now a W3C recommendation, bringing us one step closer to not having to use passwords anymore. If you’re not familiar with WebAuthn, here’s a little demo (if you don’t own a security key, it’ll probably work best on an Android phone with a fingerprint reader).
That I needed to add a disclaimer for the demo indicates the state of WebAuthn authenticator support. It’s nice when it works, but it’s clearly still in progress, and that progress varies. WebAuthn also doesn’t cover how the authenticator device works, that falls under the proposed CTAP standard. They work together to form the FIDO2 Project. Currently, the most reliable option is to purchase a security key, but quality varies wildly, and needing to carry around an extra dongle just for logging in to sites is no fun.
What WordPress Needs
Anything that replaces passwords needs to provide some extra benefit, without losing the strengths of the password model:
- Passwords are universally understood as an authentication model.
- They’re portable: you don’t need a special app or token to use them anywhere.
- They’re extendable: strong passwords can be enforced as needed. Additional authentication (2FA codes, for example) can be added, too.
Magic login links are an interesting step in this direction. The WordPress mobile apps added magic login support for WordPress.com accounts a while ago, I’d love to see this working on all WordPress sites.
A WebAuthn-based model would be a wonderful future step, once the entire user experience is more polished.
The password-less future hasn’t quite arrived yet, but we’re getting closer.