With the Firefox 60 release on May 9, Firefox became the first major browser to support the Web Authentication API. This API enables users to avoid text-based passwords for websites and instead uses a local device with a biometric check or private PIN to generate a secure cryptographic identifier. Support for the API is in development for Chrome and Edge, and under consideration for Safari.

The specification is coming out of the FIDO Alliance in collaboration with W3C. According to the FIDO Alliance website:

The specifications and certifications from the FIDO Alliance enable an interoperable ecosystem of hardware-, mobile- and biometrics-based authenticators that can be used with many apps and websites. This ecosystem enables enterprises and service providers to deploy strong authentication solutions that reduce reliance on passwords and protect against phishing, man-in-the-middle and replay attacks using stolen passwords.

The Web Authentication API would allow users to sidestep the insecurity and frustration of having to remember passwords for every website in favor of a simple biometric check on a physical device like a phone or USB device. In a blog post, Nick Steele of Duo Security explains what this would look like:

There are more than a few different cases for how WebAuthn would work in practice, but the most common example is this: A user visits a website, let’s say cat-facts.com, on their laptop and goes to register an account. After pressing a button to begin registration on the site, they receive a prompt on their phone saying "Register with cat-facts.com." Once they’ve accepted the request, the user would be asked to perform an "authorization gesture," such as typing in a PIN or biometric action that is associated with the account they are creating. After providing this, the website on the laptop would display something to the effect of "Registration complete!" The user can now log in to cat-facts.com using the same phone and authorization gesture.

According to the Chrome tracking bug, the Web Authentication API will be available in Google Chrome version 67 for Desktop, scheduled for release on May 27, 2018. Microsoft Edge supports an earlier version of the API, with differences noted in their developer documentation. There is a polyfill available to support the current version of the API in Edge. As far as Safari is concerned, the status is murky. The Chrome tracker lists the API as under development in Safari, while the webkit feature status lists it as ‘under consideration’.

An article in 9 to 5 Mac speculates on why Apple might be incented to implement the feature:

There’s as yet no word on Safari, but with all current and recent iPhones and iPads offering either Face ID or Touch ID, and the latter supported on the MacBook Pro too, this would be tailor-made for Apple. It cannot be used with other browsers without Apple’s support.

Developers interested in getting started with the Web Authentication API can learn about it in a short tutorial on Google’s developer website or dive into the documentation on MDN.