
Goodbye passwords? WebAuthn is now an official web standard - deesep
https://www.cnet.com/news/goodbye-passwords-webauthn-is-now-an-official-web-standard/
======
beatgammit
Hopefully this means better compatibility and availability. I was excited to
find that Vanguard supports security key login, but when I went to try it out,
they only support Chrome (I was using Firefox, which also supports it).

I love the concept, but I don't think it would _replace_ passwords, just
augment them. This was we can have weaker, easier to remember passwords, with
convenient security key login as a second factor.

------
ksynwa
Can someone explain what these "security keys" are? I couldn't find details
about them in the article. Thanks.

~~~
te0006
FIDO2-compliant hardware security tokens like the YubiKey 5. Can be coupled to
Android devices via NFC. Presumably there is downward compatibility between
WebAuthn/FIDO2 and FIDO V1 so older FIDO tokens might work as well. Note,
however, that an external hardware token is not _required_ by WebAuthn/FIDO2.
The "Authenticator" can be implemented purely in software on the mobile
device, too. The FIDO Alliance's certification program has different assurance
levels commensurate with what amount of hardware security the Authenticator is
backed by. Unfortunately, the press release seems to not mention which level
or levels this general "Android FIDO2 certificate" addresses. It would of
course be good if an Authenticator implementation delivered with the OS makes
maximal use of any hardware security features that are built into the
smartphone anyway.

