Despite the name, its purpose is finding a way to authenticate you without a password from your memory, instead encourage the use of two-factor authentication and per-device keys.
To solve the problem the idea is to create a client-side (browser) API that lets services use a pair of authentication keys to prove who you are based on the device trying to log in.
An existing proposal submitted in late 2015, called FIDO 2.0 that was submitted by Google, Microsoft and Paypal engineers, will be used as the framework for the new standard.
FIDO suggests that when you visit a website, a sign-in prompt would direct you to your phone to authenticate who you are — if you accept, you’re signed in securely on your computer.
The proposal also details what would happen if you lost your phone: if you report your phone as lost, the credential is not allowed to log in anymore until you can re-register yourself. This in itself could be an issue, since the new API may assume your phone is always on your person, though it’s too early to say for sure.
In charge of the group are Richard Barnes, Firefox Security Lead at Mozilla, and Anthony Nadalin, Partner Architect at Microsoft Corporation.
The standard is due for submission by December 2016 and it’ll take much longer to make its way to browsers, given that it will need to move through a stage of consultation and become a proposed recommendation before it’s made official.
Still, it’s exciting to hear that the stewards of the Web are looking into how we can solve the problem of most people still using “password” as their password, and a way to stop needing to remember them all would be welcomed.
The death of the password is near, and I can’t wait to stop using them.