W3C's WebAuthn API will pave the way for logins without passwords
The World Wide Web Consortium (W3C) and Fast Identity Online Alliance (FIDO Alliance) have distributed a press release announcing a major standards milestone regarding the implementation of a web-based standard API that can be utilized to securely log users into web sites and services without the use of a password. This API is called Web Authentication, or WebAuthn, for short.
The joint press release highlights that the deployment and adoption of will offer users protection from dangers such as "phishing, man-in-the-middle attacks and the abuse of stolen credentials" by utilizing security measures such as biometrics (fingerprints and facial scanning) and local authentication via Bluetooth, Near-Field Communication, and USB.
Presently, Web Authentication is supported in Mozilla Firefox's latest version, with support in Google Chrome and Microsoft Edge forthcoming. Apple's Safari web browser has yet to announce support for Web Authentication, but experts from the company are a part of the W3C's working group for the standard.
Though this does not mean an immediate or even a near-future end of passwords, this is one of the first tangible steps towards an Internet standard being implemented for a future protected by more secure instruments, such as biometric scanning and hardware tokens. These tools will make it much, much harder for conventional phishing attacks and malicious actors to gain access to users' private information.
The press release includes the following major project benefits:
Simpler authentication: users simply log in with a single gesture using:
- Internal or built-in authenticators (such as fingerprint or facial biometrics) in PCs, laptops and/or mobile devices
- Convenient external authenticators, such as security keys and mobile devices, for device-to-device authentication using CTAP, a protocol for external authenticators developed by the FIDO Alliance that complements WebAuthn
Stronger authentication: FIDO Authentication is much stronger than relying only on passwords and related forms of authentication, and has these advantages:
- User credentials and biometric templates never leave the user’s device and are never stored on servers
- Accounts are protected from phishing, man-in-the-middle and replay attacks that use stolen passwords