Two of the key bodies overseeing the Internet’s evolution today reached a major milestone in their effort to provide an alternative to password-based security.

The FIDO Alliance and W3C, the main group developing technical standards for the web, this morning announced that a piece of technology called WebAuthn has achieved the Candidate Recommendation stage. This means that it’s ready to start rolling out to consumers in the form of browser integration.

The Mozilla Foundation, the nonprofit organization behind Firefox, is the first major player to add support for WebAuthn, which enables users to log into online services without a password. Instead, consumers can use their mobile device or a specialized security key such as the kind sold by Yubico AB. Google LLC and Microsoft Corp. plan to roll out the technology for their respective browsers in coming months.

Apple Inc. has not yet shared whether it plans to do the same with Safari. But the iPhone maker will likely add support for WebAuthn sooner or later, given that several of its engineers took part in the creation of the standard.

The move to advance the technology to the Candidate Recommendation stage, one of the last stops before final approval, follows two years of development work by Apple, Google, Microsoft and several other major  tech firms. The National Institute of Standards and Technology contributed to the effort as well.

The broad participation in the project reflects just how important of a purpose WebAuthn aims to serve. Reducing consumers’ reliance on passwords could help mitigate the threat posed by hacking tactics such as phishing, which involves tricking people into sharing their login credentials.

Requiring a physical device instead of a password to sign into an account effectively means an attacker is left with nothing to steal. For the same reason, WebAuthn should also be effective against man-in-the-middle and session rewind attacks that intercept login data sent over insecure connections.  

Currently, only a few tech firms let users sign into their services using a physical authentication device. The FIDO Alliance and W3C hope that the addition of WebAuthn support to major browsers will make it easier for developers to implement the approach, thus widening adoption. But there’s likely still a long way to go before consumers can replace passwords with hardware-based authentication as their go-to login method.

Image: Unsplash