The World Wide Web Consortium (W3C) today declared that the Web Authentication API (WebAuthn) is now an official web standard. First announced by the W3C and the FIDO Alliance in November 2015, WebAuthn is now an open standard for password-free logins on the web. It is supported by W3C contributors, including Airbnb, Alibaba, Apple, Google, IBM, Intel, Microsoft, Mozilla, PayPal, SoftBank, Tencent, and Yubico.
The specification lets users log into online accounts using biometrics, mobile devices, and/or FIDO security keys. WebAuthn is supported by Android and Windows 10. On the browser side, Google Chrome, Mozilla Firefox, and Microsoft Edge all added support last year. Apple has supported WebAuthn in preview versions of Safari since December.
Killing the password
“Now is the time for web services and businesses to adopt WebAuthn to move beyond vulnerable passwords and help web users improve the security of their online experiences,” W3C CEO Jeff Jaffe said in a statement. “W3C’s Recommendation establishes web-wide interoperability guidance, setting consistent expectations for web users and the sites they visit. W3C is working to implement this best practice on its own site.”
Although the W3C hasn’t adopted its own creation yet, WebAuthn is already implemented on sites such as Dropbox, Facebook, GitHub, Salesforce, Stripe, and Twitter. Now that WebAuthn is an official standard, the hope is that other sites will jump on board as well, leading to more password-free logins across the web.
But it’s not just the web. The FIDO Alliance wants to kill the password everywhere, a goal it has been working on for years and will likely still be working on for years to come.
W3C’s WebAuthn recommendation is a core component of the FIDO Alliance’s FIDO2 set of specifications. FIDO2 is a standard that supports public key cryptography and multifactor authentication — specifically, the Universal Authentication Framework (UAF) and Universal Second Factor (U2F) protocols. To help spur adoption, the FIDO Alliance provides testing tools and a certification program.
FIDO2 attempts to address traditional authentication issues in four ways:
- Security: FIDO2 cryptographic login credentials are unique across every website; biometrics or other secrets like passwords never leave the user’s device and are never stored on a server. This security model eliminates the risks of phishing, all forms of password theft, and replay attacks.
- Convenience: Users log in with simple methods such as fingerprint readers, cameras, FIDO security keys, or their personal mobile device.
- Privacy: Because FIDO keys are unique for each internet site, they cannot be used to track users across sites.
- Scalability: Websites can enable FIDO2 via simple API call across all supported browsers and platforms on billions of devices consumers use every day.
“The Web Authentication component of FIDO2 is now an official web standard from W3C, an important achievement that represents many years of industry collaboration to develop a practical solution for phishing-resistant authentication on the web,” FIDO Alliance executive director Brett McDowell said in a statement. “With this milestone, we’re moving into the next phase of our shared mission to deliver simpler, stronger authentication to everyone using the internet today, and for years to come.”