Microsoft Brings Web Authentication to Its Edge Browser

By adding web authentication capabilities, Microsoft says it wants to bolster security for Edge browser users.

Microsoft Edge

Microsoft's Edge web browser now includes support for user authentication using facial recognition, fingerprints, PIN numbers or authenticated mobile devices as a replacement for outdated and less secure password-based log-ins.

Starting with Microsoft Edge build 17723, the browser now supports the new password-less web authentication specifications from W3C, according to a July 30 post on the Microsoft Windows Blogs. By improving user authentication processes, enterprises will be able to provide more secure user experiences and transactions through websites, vastly improving security across the internet, according to Microsoft.

The integration of the password-less specifications in the latest Edge browser has been a goal of the browser since 2016, when Microsoft shipped its first preview implementation of the web authentication API in Edge, wrote Angelo Liao, the program manager for Microsoft Edge, and Ibrahim Damlaj, the program manager for Windows Security, in the post.

"With web authentication, Microsoft Edge users can sign in with their face, fingerprint, PIN, or portable FIDO2 devices, leveraging strong public-key credentials instead of passwords," wrote Liao and Damlaj. In the past, websites have trusted passwords to process credit card numbers and save addresses and personal information including sensitive records such as medical information.

"All this data is protected by an ancient security model—the password," they wrote. "But passwords are difficult to remember, and are fundamentally insecure—often re-used, and vulnerable to phishing and cracking."

That's why Microsoft has been working to move away from passwords in the Edge browser and replace them with biometric and other forms of authentication, Liao and Damlaj wrote. The company has been working with the FIDO Alliance and others to develop the new standards for improved security online. In March, the FIDO Alliance announced that the Web Authentication APIs had reached Candidate Recommendation (CR) status in the W3C, readying them for use.

The latest build 17723 of Edge now supports that CR version of the web authentication specifications.

"Our implementation provides the most complete support for web authentication to date, with support for a wider variety of authenticators than other browsers," wrote Liao and Damlaj. "With Windows Hello face recognition, users can log in to sites that support web authentication in seconds, with just a glance."

Windows Hello users can also be authenticated without a password on any Windows 10 device using fingerprint recognition or a PIN number to sign in to websites.

The FIDO2 Project is working to create a FIDO Authentication standard for the web that works with FIDO-certified devices to help provide user authentications as well. Users will also be able to use external FIDO2 security keys to authenticate themselves with a removable device and their biometrics or PIN number.

Websites that are not ready to move to a completely password-less model are expected to have backward compatibility with FIDO devices so a strong second authentication factor can be used in addition to a password.

The introduction of these password-less authentication systems and processes is continuing with a myriad of industry partners, the post continued. "Password-less authentication experiences like this are the foundation of a world without passwords."

Developers who want to dive more deeply into web authentication in Microsoft Edge can peruse Microsoft's Web Authentication dev guide, or install Windows Insider Preview build 17723 or higher to try it for themselves.