Microsoft Edge Moves Away From Passwords

People hate passwords. That's why so many people use the same basic password across multiple websites—and that in turn is why so many data breaches reach much further than most would expect. It's just not secure to use simple passwords, reuse passwords across multiple services, or share passwords with other people. The Web Authentication specification wants to offer the best of both worlds by letting people abandon passwords for more convenient and secure options, and now that it's supported by Microsoft Edge, the spec will continue to expand.

Web Authentication lets people use facial recognition, fingerprint scanners, FIDO2 devices and PINs instead of passwords. All of these mechanisms have trade offs—facial recognition and fingerprint scanning can be fooled, and FIDO2 devices require you to carry an extra gadget around—but they can still be considered more convenient than memorizing and entering secure passwords. Most people won't remember something like "iH%#xP2v3Ab%R!n," and even if they do, who wants to type that? If one isn't willing to use a password manager, secure passwords can be wildly inconvenient.

Microsoft thinks passwords need to go the way of the dodo. Here's what the company said in its blog post about supporting Web Authentication:

"Staying secure on the web is more important than ever. We trust web sites to process credit card numbers, save addresses and personal information and even to handle sensitive records like medical information. All this data is protected by an ancient security model—the password. But passwords are difficult to remember, and are fundamentally insecure—often re-used and vulnerable to phishing and cracking."

The company also said Edge's implementation of Web Authentication "provides the most complete support for Web Authentication to date, with support for a wider variety of authenticators than other browsers." That's because it supports Windows Hello, which already lets Windows 10 users access their devices via facial recognition or fingerprint scanning, as well as the more standard FIDO2 devices. (Not everyone wants to evangelize Windows Hello. Apple probably doesn't care to support it with Safari, for example. But FIDO2 devices are platform agnostic.)

Microsoft likely wanted to blow its own horn regarding Edge's support for Web Authentication because it's actually a beat behind Google and Mozilla. The former added beta support for Web Authentication to Chrome in May, and the latter did the same with Firefox that same month. But it's still good that Microsoft is adding support for Web Authentication to Edge, not just because Edge users should be afforded the same options as their Chrome and Firefox-using counterparts, but also because it means the call to let people abandon passwords will continue to gain volume.

Web Authentication support is currently available in the version of Edge shipping with Windows Insider Preview Build 17723.

This thread is closed for comments
3 comments
    Your comment
  • therealduckofdeath
    It is kind of the right way to go but it's not without issues. Either it'll lock users into ecosystems (browsers in this case), as the authentication in locked to the ecosystem, or we'll have a new, deeper level of security problem at our finger tips, if the security will be in some sort of open platform.
  • AnimeMania
    Microsoft wrote:
    "Staying secure on the web is more important than ever. We trust web sites to process credit card numbers, save addresses and personal information and even to handle sensitive records like medical information."
    The first statement is true and the second is not. One person doing something stupid and getting their personal information stolen is tragic, while a corporation doing something stupid and getting millions of people's personal information stolen should be a crime. I thought up a password that is secure and I can remember, why can't I use it everywhere I want. Corporations should air gap or something very close to that, our personal data and passwords since they take it without any way for us to opt out of their prying eyes. The real problem isn't on our end, it's on theirs.
  • hellwig
    1839266 said:
    ...One person doing something stupid and getting their personal information stolen is tragic, while a corporation doing something stupid and getting millions of people's personal information stolen should be a crime....


    Exactly, no one phished me for my Experian data, my Home Depot purchases, my Target purchases, my TMobile data (thanks Equifax? Experian? TransUnion? who can remember), my AshleyMadison... no wait, nevermind.