“This advancement is a major step forward in making the web more secure— and usable—for users around the world,” said the W3C in its press release. The Web Authentication (WebAuthn) specification allows users to log into their internet accounts using their preferred device without having to remember passwords. Instead, users can login using biometric data such as a fingerprint, USB security keys, or devices like smartphones or watches. The W3C claims this will make websites more secure and give higher security over passwords. It is already supported in Windows 10, Android, and Google Chrome, Mozilla Firefox, Microsoft Edge and Apple Safari (preview) Web browsers. The W3C recommends websites to adopt the new standard to create a more secure environment for users and allow them to log in more easily, quickly, and securely: “Now is the time for web services and businesses to adopt WebAuthn to move beyond vulnerable passwords and help web users improve the security of their online experiences,” said Jeff Jaffe, W3C CEO. “W3C’s Recommendation establishes web-wide interoperability guidance, setting consistent expectations for web users and the sites they visit. W3C is working to implement this best practice on its own site.” Also, the W3C feels that WebAuthn will eradicate many problems related to traditional authentication methods. “It’s common knowledge that passwords have outlived their efficacy. Not only are stolen, weak or default passwords behind 81 percent of data breaches, they are a drain of time and resources. While traditional multi-factor authentication (MFA) solutions like SMS one-time codes add another layer of security, they are still vulnerable to phishing attacks, aren’t simple to use and suffer from low opt-in rates. With WebAuthn, the global technology community has come together to provide a shared solution to the shared password problem.” On the other hand, FIDO keys have many advantages over passwords and addresses all of the issues with traditional authentication such as:
Security: FIDO2 cryptographic login credentials are unique across every website, biometrics or other secrets like passwords never leave the user’s device and are never stored on a server. This security model eliminates the risks of phishing, all forms of password theft and replay attacks. Convenience: Users log in with convenient methods such as fingerprint readers, cameras, FIDO security keys, or their personal mobile device. Privacy: Because FIDO keys are unique for each Internet site, they cannot be used to track you across sites. Scalability: Websites can enable FIDO2 via simple API call across all supported browsers and platforms on billions of devices consumers use every day.
“Web Authentication as an official web standard is the pinnacle of many years of industry collaboration to develop a practical solution for stronger authentication on the web,” said Brett McDowell, executive director of the FIDO Alliance. “With this milestone, we’re moving into a new era of ubiquitous, hardware-backed FIDO Authentication protection for everyone using the internet.” The WebAuthn announcement from the W3C and the FIDO Alliance is hopefully a step towards achieving password-free logins on websites. We hope to see a lot of web services implementing WebAuthn in the following months and eventually a wider usage of it across the web as a whole. Source: W3C Press Release