Password-free logins have long been the stuff of dreams for security researchers and privacy advocates—not to mention regular people who fat-finger their account passwords into a browser every day. Industry efforts to end our reliance on the multi-character password have resulted in the proposal of numerous alternative login methods, including biometric verification and the use of behavioral data to prove an individual's identity. But most of these attempts haven't yet lead to the promised land: A web without passwords.

Now, a new standard for the web called WebAuthn is being lauded as a major step forward in secure authentication, and "probably the most effective anti-phishing measure for the web that's out there," according to Selena Deckelmann, senior director of engineering for Mozilla Firefox. It introduces a set of rules for the web that, if adopted by popular browsers and websites, would mean people could use a single device or a single fingerprint to log into, well, almost everything.

But like the password-free attempts before it, WebAuthn still faces hurdles before it becomes something that impacts the masses. Some security and identity experts seem reluctant to claim that our password-free future has finally arrived. And a lot of WebAuthn's success comes down to whether hugely popular websites like Amazon or Facebook will adopt this new standard.

Who Are You?

The new WebAuthn standard is a joint effort between the World Wide Web Consortium (WC3) and the FIDO Alliance, which is made up of a variety of tech and finance companies and is chaired by online identity experts. (FIDO stands for "Fast Identity Online".) WebAuthn builds on top of two pre-existing FIDO specifications—U2F and UAF—that some websites use to verify a user's identity through what's known as 2FA, or two-factor authentication. This login method, which requires a user to enter both a password and a secondary means of identity verification in order to access their account, is a more foolproof way of confirming somebody's identity than only asking for a password.

All around the web, non-password authentication is usually offered as a secondary option for logging into a website. By enabling web browsers to handle these sign-ins natively, proponents of WebAuthn could push for them to become the web's primary means of user authorization. Google, Mozilla, and Microsoft have all said they're on board.

That's a lot of jargon and a bit confusing. But, basically, it means that logging into browsers and online accounts could be both easier and more secure for consumers. You could log in by either using a physical dongle that plugs into your computer's USB port, like the new, $20 Yubikey announced last week that supports the new FIDO protocol; or by using a biometric log-in like a fingerprint. There might be an initial sign-in or sign-up process that would involve entering a password. But after that, logging in would be, in theory, a one-step process. (Here's a good primer on how to use a YubiKey.)

One example, says Dave Bossio, a group program manager for operating system security at Microsoft, would be using Windows Hello as an authenticator for your browser on your laptop. And since Windows Hello covers three forms of authentication–a pin, a fingerprint sensor, or a facial-recognition camera–it would give people different options. "The browser [support] will start lining up in the mid-to-second-half of 2018," Bossio says, "so that's when there will be one provisional step, once that party has enabled their backend to support FIDO2, and after that it will be one-step authenticating that account."

A Touch of Security

In some ways, the new standard is similar to Apple's "TouchID, but one step forward," says Zhiwei Li, the founder and chief executive of a password protection startup called Pepperword. Li also gained notoriety for exposing vulnerabilities in the password-management app LastPass back in 2013.