New specification sets the standard for passwordless logins
W3C's WebAuthn recommendation, a core component of the FIDO Alliance's FIDO2 set of specifications, is a browser/platform standard for simpler and stronger authentication.
Already supported in Windows 10, Android, and Google Chrome, Mozilla Firefox, Microsoft Edge and Apple Safari (in preview), WebAuthn allows users to log into their internet accounts using their preferred device. Web services and apps can -- and should -- turn on this functionality to give their users the option to log in more easily via biometrics, mobile devices and/or FIDO security keys, and with much higher security over passwords alone.
"Now is the time for web services and businesses to adopt WebAuthn to move beyond vulnerable passwords and help web users improve the security of their online experiences," says Jeff Jaffe, W3C CEO. "W3C's Recommendation establishes web-wide interoperability guidance, setting consistent expectations for web users and the sites they visit. W3C is working to implement this best practice on its own site."
"The Web Authentication component of FIDO2 is now an official web standard from W3C, an important achievement that represents many years of industry collaboration to develop a practical solution for phishing-resistant authentication on the web," says Brett McDowell, executive director of the FIDO Alliance. "With this milestone, we’re moving into the next phase of our shared mission to deliver simpler, stronger authentication to everyone using the internet today, and for years to come."
Stolen or weak passwords are behind a high proportion of data breaches. FIDO2 cryptographic login credentials are unique across every website, biometrics or other secrets like passwords never leave the user’s device and are never stored on a server. This security model eliminates the risks of phishing, all forms of password theft and replay attacks.
Users log in with simple methods such as fingerprint readers, cameras, FIDO security keys, or their personal mobile device. And because FIDO keys are unique for each internet site, they cannot be used to track users across sites. Websites can enable FIDO2 via simple API calls across all supported browsers and platforms on billions of devices consumers use every day.
"The WebAuthn specification is a major and collaborative leap forward in the evolution of simpler, stronger user authentication," says James Barclay, senior R& D engineer at trusted access specialist Duo Security. "As pioneers in the authentication space, Duo Security knows that for security to be effective, it has to be easy. WebAuthn's security and privacy protections, built-in phishing resistance and ease-of-use give it the potential to drive widespread adoption across enterprise and consumer markets, making everyone safer as a result. True passwordless authentication has been sought for a long time -- today, we're closer to realizing that goal with WebAuthn."
You can find out more about Web Authentication and how it works here.