This new development could mean the end of the use of passwords. A new Web standard, ‘WebAuthn’ is poised to make the use of passwords for logging in obsolete. The new standard Application Program Interface that recently won approval from the World Wide Web Consortium or W3C, can be incorporated into browsers & other Web infrastructure.
It allows users to authenticate themselves on the Internet in a more secure & convenient manner as compared to passwords. Already, it is reported, Google, Microsoft & Mozilla have committed to supporting WebAuthn in their browsers. Developers have begun to implement the standard for Windows, Mac, Linux, Chrome OS & Android.
According to a joint press release issued by FIDO alliance & W3C, the latter said it had “advanced Web Authentication (WebAuthn), a collaborative effort based on Web API specifications submitted by FIDO to the W3C, to the Candidate Recommendation (CR) stage.” The CR is the product of the Web Authentication Working Group, which has representatives from over 30 member organizations. CR is a precursor to final approval of a Web standard, & the W3C has invited Online services & Web app developers to implement WebAuthn.
WebAuthn has been developed in coordination with FIDO Alliance. It is a core component of the FIDO2 Project along with FIDO’s Client to Authenticator Protocol (CTAP) specification. CTAP enables an external authenticator, such as a security key or a mobile phone, to communicate strong authentication credentials locally over USB, Bluetooth or NFC to the user’s Internet access device. The FIDO2 specifications collectively enable users to authenticate easily to Online services with desktop or mobile devices with phishing-resistant security.
The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, & correct the problems users face with creating & remembering multiple usernames or passwords.
Security on the Web has long been a problem which has interfered with the many positive contributions the web makes to society. While there are many web security problems and we can’t fix them all, relying on passwords is one of the weakest links. With WebAuthn’s multi-factor solutions we are eliminating this weak link. – W3C CEO Jeff Jaffe.
WebAuthn & FIDO2 Project Benefits
W3C’s WebAuthn API, a standard Web API that can be incorporated into browsers & related Web platform infrastructure, enables strong, unique, public key-based credentials for each Site, eliminating the risk that a password stolen from one Site can be used on another. A Web application running in a browser loaded on a device with a FIDO Authenticator can easily call to a public API to enable simpler, stronger FIDO Authentication of users with cryptographic operations in place of, or in addition to password exchange, delivering many advantages to service providers and users alike:
- Simpler authentication: users simply log in with a single gesture using:
- Internal or built-in authenticators (such as fingerprint or facial biometrics) in PCs, laptops and/or mobile devices
- Convenient external authenticators, such as security keys & mobile devices, for device-to-device authentication using CTAP, a protocol for external authenticators developed by the FIDO Alliance that complements WebAuthn
- Stronger authentication: FIDO Authentication is much stronger than relying only on passwords & related forms of authentication, & has these advantages:
- User credentials & biometric templates never leave the user’s device & are never stored on servers
- Accounts are protected from phishing, man-in-the-middle & replay attacks that use stolen passwords
- Developers can get started on creating apps and services that leverage FIDO Authentication on FIDO’s new developer resources page.
Image Credit: W3C