Microsoft’s Edge browser may have just four or five per cent market share, well behind Chrome’s sixty-odd per cent and Firefox’s ten, but by adopting the recently-ratified Web Authentication API it has made that new standard a ubiquitous element of the future web experience.
The API is a World Wide Web Consortium (W3C) effort that makes it possible to use a device’s hardware, or other schemes, to gather authentication credentials. Microsoft, Google, Mozilla and others have backed the spec in order to reduce password use online, as websites that don't need to store them are a less tasty target for criminals.
Passwords are also undesirable because users choose bad ones or re-use them. They can also be discerned with brute force attacks.
Microsoft and others have proven that biometrics can work at scale: smartphones happily handle a great many million biometrics logins a day and Windows Hello works just fine on myriad PCs.
As the W3C’s documentation explains, if a website or service adopts the API users who sign up or login will be asked if they want to use authentication mechanism offered in their device. A laptop or phone that offers fingerprints, eyeball scans or PIN logins will, therefore, offer the same mechanisms for logging in to third-party websites.
There’s also provision for using USB fobs for authentication.
Perhaps the most remarkable thing about Microsoft baking the API into Edge is that the W3C hasn’t finished the standard! The API was first drafted in 2016 but is currently just a “Candidate Recommendation”. Before final endorsement it must pass through “Proposed Recommendation” and “W3C Recommendation” stages.
That the big three browser-makers have gone ahead with it anyway shows that the API will soon become ubiquitous. As will the need for website and app developers to adopt it, in part because of the security improvements it offers and also to ensure their services keep up with consumer expectations for simple and secure logins.