Story image

W3C and FIDO Alliance finalise web standard for passwordless logins

05 Mar 2019

The World Wide Web Consortium (W3C) and the FIDO Alliance have announced the Web Authentication (WebAuthn) specification is now an official web standard.

This advancement is a step forward in making the web more secure— and usable—for users around the world.

W3C's WebAuthn Recommendation, a core component of the FIDO Alliance's FIDO2 set of specifications, is a browser/platform standard for simpler and stronger authentication.

It is already supported in Windows 10, Android, Google Chrome, Mozilla Firefox, Microsoft Edge and Apple Safari Web browsers.

WebAuthn allows users to log into their internet accounts using their preferred device.

Web services and apps can — and should—turn on this functionality to give their users the option to log in more easily via biometrics, mobile devices and/or FIDO security keys, and with much higher security over passwords alone.

“Now is the time for web services and businesses to adopt WebAuthn to move beyond vulnerable passwords and help web users improve the security of their online experiences,” says W3C CEO Jeff Jaffe.

“W3C's Recommendation establishes web-wide interoperability guidance, setting consistent expectations for web users and the sites they visit. W3C is working to implement this best practice on its own site.”

A user-friendly solution to password theft, phishing and replay attacks

It's common knowledge that passwords have outlived their efficacy.

Not only are stolen, weak or default passwords behind 81% of data breaches, but they are also a drain of time and resources.

According to a recent Yubico study, users spend 10.9 hours per year entering and/or resetting passwords, which costs companies an average of $5.2 million annually.

While traditional multi-factor authentication (MFA) solutions like SMS one-time codes add another layer of security, they are still vulnerable to phishing attacks, aren’t simple to use and suffer from low opt-in rates.

With FIDO2 and WebAuthn, the global technology community has come together to provide a shared solution to the shared password problem.

FIDO2 addresses all of the issues with traditional authentication:

  • Security: FIDO2 cryptographic login credentials are unique across every website, biometrics or other secrets like passwords never leave the user’s device and are never stored on a server. This security model eliminates the risks of phishing, all forms of password theft and replay attacks.

  • Convenience: Users log in with convenient methods such as fingerprint readers, cameras, FIDO security keys, or their personal mobile device.

  • Privacy: Because FIDO keys are unique for each Internet site, they cannot be used to track you across sites.

  • Scalability: websites can enable FIDO2 via simple API call across all supported browsers and platforms on billions of devices consumers use every day.

“Web Authentication as an official web standard is the pinnacle of many years of industry collaboration to develop a practical solution for stronger authentication on the web,” says FIDO Alliance executive director Brett McDowell.

“With this milestone, we're moving into a new era of ubiquitous, hardware-backed FIDO Authentication protection for everyone using the internet.”

Getting started

For services providers and vendors ready to get started with FIDO2 specifications and browser/platform support, the FIDO Alliance has provided testing tools and launched a certification program.

Currently, there are many FIDO2 Certified solutions available to support a wide variety of use cases, including FIDO Certified Universal Servers that support FIDO2 and all prior UAF and U2F devices for full backward compatibility with the full range of certified FIDO authenticators.

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords.

The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords.

About the World Wide Web Consortium

The mission of the World Wide Web Consortium (W3C) is to lead the Web to its full potential by creating technical standards and guidelines to ensure that the Web remains open, accessible, and interoperable for everyone around the globe.

W3C develops well-known specifications such as HTML5, CSS, and the Open Web Platform as well as work on security and privacy, all created in the open and provided for free and under the unique W3C Patent Policy.

Hackbusters! Reviewing 90 days of cybersecurity incident response cases
While there are occasionally very advanced new threats, these are massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits.
SEGA turns to Palo Alto Networks for cybersecurity protection
When one of the world’s largest video game pioneers wanted to strengthen its IT defences against cyber threats, it started with firewalls and real-time threat intelligence from Palo Alto Networks.
Forrester names Trend Micro Leader in email security
TrendMicro earned the highest score for technology leadership, deployment options and cloud integration.
LogRhythm releases cloud-based SIEM solution
LogRhythm Cloud provides the same feature set and user experience as its on-prem experience.
One Identity named Leader in PAM and IAM by KuppingerCole
KuppingerCole lead analyst Anmol Singh evaluated the strengths and weaknesses of 20 solution providers in the PAM market for the report.
Healthcare environments difficult to secure - Forescout
The convergence of IT, Internet of Things (IoT) and operational technology (OT) makes it more difficult for the healthcare industry to manage a wide array of hard-to-control network security risks.
Bitglass appoints new cloud, business development leaders
The cloud security company has appointed vice presidents for worldwide channels and worldwide business development.
Exploring the different needs for cloud services across Europe
Although digital transformation is happening across Europe, each country continues to have its own IT needs and the different cloud markets highlight this.