The World Wide Web Consortium (W3C) has announced the adoption of the Web Authentication (WebAuthn) specification from the FIDO Alliance, as part of a move 'beyond vulnerable passwords'.
Founded in 2012, the FIDO Alliance - named for its promise to provide Fast Identity Online - launched its first standard, the Universal Second Factor (U2F), in October 2014. Designed for use with physical dongles, initially connected via USB but later expanded to include Bluetooth and Near Field Communication (NFC) connectivity for easier use with mobile devices, U2F allows a user to provide a cryptographic proof with a single button press. While most commonly used in addition to a password, providing the second authentication factor of 'something you have' as promised by its name, the same core technology was extended with the launch of FIDO2 to offer a replacement for traditional passwords - as adopted by Microsoft in November 2018 as an extension to Windows Hello.
Now, the FIDO Alliance's U2F standard has been formally adopted by the World Wide Web Consortium (W3C) as the W3C Web Authentication Standard, or WebAuthn. 'Now is the time for web services and businesses to adopt WebAuthn to move beyond vulnerable passwords and help web users improve the security of their online experiences,' claims W3C chief executive Jeff Jaffe of the standard's formal ratification and adoption. 'W3C's recommendation establishes web-wide interoperability guidance, setting consistent expectations for web users and the sites they visit. W3C is working to implement this best practice on its own site.'
'Web Authentication as an official web standard is the pinnacle of many years of industry collaboration to develop a practical solution for stronger authentication on the web,' adds Brett McDowell, executive director of the FIDO Alliance. 'With this milestone, we're moving into a new era of ubiquitous, hardware-backed FIDO Authentication protection for everyone using the internet.'
WebAuthn is supported as standard in the Windows 10 and Android operating systems and Chrome, Firefox, and Edge browsers, and in the preview release of Apple's Safari. It forms, however, only a subset of FIDO2 functionality, with the FIDO Alliance's Client to Authenticator Protocol (CTAP) joining WebAuthn to make up the standard proper. WebAuthn is also device-agnostic: While the FIDO Alliance recommends the use of its physical FIDO security dongles, authentication is also supported using alternative devices including smartphones, fingerprint readers, and cameras.
The full WebAuthn standard is available on the W3C website.
March 12 2019 | 19:11