81% of all hacking-related breaches start with stolen or weak passwords…
eBay has become the latest company to move towards phasing out passwords, adding WebAuthn-based logins to its web-based version of the ecommerce platform; which has over 183 million registered buyers.
With adoption of the emerging security standard, the company is also one of the first major ecommerce platform to enable biometric authentication as a first factor authentication on web browsers.
Supported devices include Android phones with biometrics enabled using the Chrome browser version 75 and higher, eBay said in a developer blog, saying it plans to expand to more platforms in the future.
What is WebAuthn?
WebAuthn is an emerging standard written by the W3C and FIDO that replaces passwords with an that API allows servers to register and authenticate users using public key cryptography instead of a password.
The specification was created with the participation of Google, Mozilla, Microsoft, Yubico, and others. As of September 2018, there is support for WebAuthn in the stable builds of Chrome, Firefox and Edge.
Users can deploy a fob like a YubiKey to log into their online accounts without typing a password, or use biometrics.
(eBay already offered the feature on its mobile application ).
Read this: Microsoft Launches Public Preview of Security Key Support: Password-Free Life Creeps Closer
With an estimated 81 percent of all hacking-related breaches starting with stolen or weak passwords and the brute-forcing of passwords ever easier, consensus is growing that passwords as an authentication factor (certainly as a primary one) are a security risk for both businesses and consumers.
Security specialists that while various aspects of WebAuthn continue to be enhanced, the credential API is not expected to change much and now is as good a time as any to develop WebAuthn applications.
For businesses/developers working on their own code, the FIDO Alliance has been developing conformance tools for testing FIDO2 operability, so production-ready implementations of WebAuthn/FIDO2 architecture can be put to the test.