The FIDO Alliance and the World Wide Web Consortium (W3C) have reached a major milestone in their effort towards bringing stronger and simpler web authentication to users globally. The organizations have announced the Web Authentication (WebAuthn) standard is advancing to the Candidate Recommendation stage, the last step before the final approval of a web standard.
The Candidate Recommendation stage is a product of the Web Authentication Working Group, which is comprised of more than 30 member organizations including Google, Apple, Intel and IBM.
WebAuthn is a web API standard that provides users with new methods to securely authenticate on the web, in browsers, and across sites and devices. The standard was developed based on Web API specifications that were submitted by FIDO. It is a core component of the FIDO2 Project and FIDO’s Client to Authenticator Protocol (CTAP) specification, which allows external authenticators to relay authentication credentials locally via USB, bluetooth, or NFC to a user’s device, such as a PC or mobile phone.
With the new specification, users will be able to log in using a single gesture, removing some of the complexity that is currently associated with authentication processes. According to FIDO, the standards strengthens FIDO Authentication and removes the need to rely on password. In addition, it provides the advantage of having credentials stay on the device instead of being stored in a server somewhere. It also helps prevent against attacks that rely on stolen passwords, such as phishing, man-in-the-middle, and replay attacks.
“Security on the web has long been a problem which has interfered with the many positive contributions the web makes to society. While there are many web security problems and we can’t fix them all, relying on passwords is one of the weakest links. With WebAuthn’s multi-factor solutions we are eliminating this weak link,” said Jeff Jaffe, CEO of W3C. “WebAuthn will change the way that people access the web.”
Google, Microsoft, and Mozilla have already committed to supporting WebAuthn in their browsers and have started implementations in Windows, Mac, Linux, Chrome OS, and Android platforms.
FIDO will also be launching a Universal Server certification that will work will all FIDO authenticator types, including FIDO UAF, FIDO U2F, WebAuthn, and CTAP.
“With the new FIDO2 specifications and leading web browser support announced today, we are taking a big step forward towards making FIDO Authentication ubiquitous across all platforms and devices,” said Brett McDowell, executive director of the FIDO Alliance. “After years of increasingly severe data breaches and password credential theft, now is the time for service providers to end their dependency on vulnerable passwords and one-time-passcodes and adopt phishing-resistant FIDO Authentication for all websites and applications.”