BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage News W3C and FIDO Alliance Finalized WebAuthn, Web Standard for Secure, Passwordless Logins

W3C and FIDO Alliance Finalized WebAuthn, Web Standard for Secure, Passwordless Logins

This item in japanese

Lire ce contenu en français

Bookmarks

The World Wide Web Consortium (W3C) and the Fast IDentity Online (FIDO) Alliance recently announced that the Web Authentication (WebAuthn) specification is now an official web standard. WebAuthn allows users to log in via biometrics, mobile devices and/or FIDO security keys, with higher security over passwords alone.

WebAuthn is a new web API for browsers and web platforms which enables the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of user authentication. WebAuthn is already supported in Windows 10, Android, and Google Chrome, Mozilla Firefox, Microsoft Edge and Apple Safari (preview) Web browsers. WebAuthn has been implemented on major websites such as Dropbox, Facebook, GitHub, Salesforce, Stripe, and Twitter. Yubico, W3C member, testified about the importance of WebAuthn and its cross-browser, cross-platform availability:

(…) standardization of W3C’s WebAuthn marks a milestone in the history of open authentication standards and internet security. Together, we achieved the near-impossible: the creation of a global standard supported by all platforms and browsers.

W3C’s WebAuthn recommendation is an important part of the FIDO Alliance’s FIDO2 set of specifications. An important feature of FIDO2 reflected in WebAuthn is origin checking to prevent phishing attacks. The business case for WebAuthn on the web is driven by the cost linked to the deficient security offered by password-based authentication:

the authentication problem

In order to use WebAuthn, the user needs an external security device (like a FIDO 2 security key) or internal authenticators (like fingerprint readers, or facial recognition).

Beyond the technical aspects, an important aspect of WebAuthn is to allow usable, cheap authentication devices to appear, in order to drive adoption of the standard. To drive adoption, the FIDO Alliance provides testing tools and a certification program. Trusona, a provider of passwordless authentication technologies for businesses mentions:

The new protocol relies on using a PC or laptop that has biometrics available – or requires the user to have (or purchase) a hardware token. Any additional requirements, or cost for the consumer may hinder the widespread adoption of this new solution.

The FIDO Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy security issues related to creating and remembering multiple usernames and passwords.

The W3C's mission is to create technical standards and guidelines to ensure that the Web remains open, accessible, and interoperable for everyone.

Rate this Article

Adoption
Style

BT