The Guardian reports us that the World Wide Web Consortium (W3C) is close to adopting a new authentication standard that can replace passwords. This would be some kind of “who you are” (biometric) or “what you have” (token, phone to receive code) method of authentication, rather than a “what you know” password. (I suppose a code sent to your phone is what you know, but you know it only case by case, because you have another communications channel.)
Some web services already work this way, as the article notes – or does in special cases, as when one is logging on from an unrecognized computer.
It seems to me that if this were widely adopted, it would be a serious nuisance, both for the vast majority of websites where one does not need a secure password, and for secure ones where frequency of use teaches us to remember complex passwords – and perhaps the intermediate case where one satisfactorily uses a secure password manager like KeyPass..
Once “WebAuthn” (a fine multilingual name…) becomes an international standard, though, will it be negligent for websites not to use it, even for not-particularly-confidential content? Or will it be enough if they make it an option for users, so the negligence moves to the user if his/her/its authentication method is hacked and losses follow? Would they have to give a clear explanation of the risks of not using it, so the users can’t say they did not realize the risk they were “voluntarily” assuming?
First-year torts profs, please copy…