The World Wide Web Consortium (W3C) is putting cybersecurity on its radar. It has announced that it is launching a new working group designed to standardize Web authentication and provide a more secure and flexible solution to password-based logins.
“Every other week you see news of a password leak or data leak from another major site, and as a user of the Web, every place you go you are asked to log in with a username and password,” said Wendy Seltzer, technology and society domain lead for the W3C. “That is difficult to manage on the user side, and not the best we can do in security.”
The new Web Authentication Working Group will work on creating a Web-wide standard that provides strong authentication without relying on a password. According to the organization, even strong passwords are susceptible to phishing attacks, database breaches and other hack attacks.
(Related: Security was still neglected in 2015)
“When strong authentication is easy to deploy, we make the Web safer for daily use, personal and commercial,” said Tim Berners-Lee, director of the W3C. “With the scope and frequency of attacks increasing, it is imperative for W3C to develop new standards and best practices for increased security on the Web.”
The W3C’s work will be supplemented with the FIDO Alliance’s FIDO 2.0 Web APIs. According to Seltzer, FIDO has already had success developing its own multi-factor authentication, and its APIs will help the working group ensure standards-based strong authentication across all browsers and related infrastructure.
“Our mission is to revolutionize authentication on the Web through the development and global adoption of technical specifications that supplants the world’s dependency on passwords with interoperable strong authentication,” said Brett McDowell, executive director of the FIDO Alliance. “With W3C’s acceptance of the FIDO 2.0 submission, and the chartering of this new Web Authentication Working Group, we are well on our way to accomplishing that mission.”
In addition, the working group will complement prior work on the Web Cryptography API and Web application security specifications.
“We’ve seen much better authentication methods than passwords, yet too many websites still use password-based logins,” said Seltzer. “Standard Web APIs will make consistent implementations work across the Web ecosystem. The new approach will replace passwords with more secure ways of logging into websites, such as using a USB key or activating a smartphone. Strong authentication is useful to any Web application that wants to maintain an ongoing relationship with users.”
The Web Authentication Working Group’s first meeting will take place on March 4 in San Francisco.