The W3C has advanced Web Authentication (WebAuthn), a collaborative effort based on Web API specifications submitted by FIDO to the W3C, to the Candidate Recommendation (CR) stage.
WebAuthn defines a standard web API that can be incorporated into browsers and related web platform infrastructure which gives users new methods to securely authenticate on the web, in the browser and across sites and devices. WebAuthn has been developed in coordination with FIDO Alliance and is a core component of the FIDO2 Project along with FIDO’s Client to Authenticator Protocol (CTAP) specification. CTAP enables an external authenticator, such as a security key or a mobile phone, to communicate strong authentication credentials locally over USB, Bluetooth or NFC to the user’s internet access device (PC or mobile phone). The FIDO2 specifications collectively enable users to authenticate easily to online services with desktop or mobile devices with phishing-resistant security.
“With the new FIDO2 specifications and leading web browser support announced today, we are taking a big step forward towards making FIDO Authentication ubiquitous across all platforms and devices,” said Brett McDowell, executive director of the FIDO Alliance. “After years of increasingly severe data breaches and password credential theft, now is the time for service providers to end their dependency on vulnerable passwords and one-time-passcodes and adopt phishing-resistant FIDO Authentication for all websites and applications.”
Google, Microsoft, and Mozilla have committed to supporting the WebAuthn standard in their flagship browsers and have started implementation for Windows, Mac, Linux, Chrome OS and Android platforms. Unfortunately, it does not appear as though Apple has signed on as of yet.
“Security on the web has long been a problem which has interfered with the many positive contributions the web makes to society. While there are many web security problems and we can’t fix them all, relying on passwords is one of the weakest links. With WebAuthn’s multi-factor solutions we are eliminating this weak link,” stated W3C CEO Jeff Jaffe. “WebAuthn will change the way that people access the web.”
WebAuthn and FIDO2 Project Benefits
W3C’s WebAuthn API, a standard web API that can be incorporated into browsers and related web platform infrastructure, enables strong, unique, public key-based credentials for each site, eliminating the risk that a password stolen from one site can be used on another. A web application running in a browser loaded on a device with a FIDO Authenticator can easily call to a public API to enable simpler, stronger FIDO Authentication of users with cryptographic operations in place of, or in addition to password exchange, delivering many advantages to service providers and users alike:
● Simpler authentication: users simply log in with a single gesture using:
○ Internal or built-in authenticators (such as fingerprint or facial biometrics) in PCs, laptops and/or mobile devices
○ Convenient external authenticators, such as security keys and mobile devices, for device-to-device authentication using CTAP, a protocol for external authenticators developed by the FIDO Alliance that complements WebAuthn
● Stronger authentication: FIDO Authentication is much stronger than relying only on passwords and related forms of authentication, and has these advantages:
○ User credentials and biometric templates never leave the user’s device and are never stored on servers
○ Accounts are protected from phishing, man-in-the-middle and replay attacks that use stolen passwords
● Developers can get started on creating apps and services that leverage FIDO Authentication on FIDO’s new developer resources page.
More details at the link below...