FIDO2: Web Authentication (WebAuthn)
Web Authentication (WebAuthn), a core component of FIDO Alliance’s FIDO2 set of specifications, is a web-based API that allows websites to update their login pages to add FIDO-based authentication on supported browsers and platforms. FIDO2 enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments.
Web services and apps can – and should – turn on this functionality to give their users an easier login experience via biometrics, mobile devices and/or FIDO security keys – and with much higher security over passwords alone.
FIDO’s higher security comes from the use of cryptographic login credentials that are unique across every website, never leave the user’s device and are never stored on a server. This security model eliminates the risks of phishing, all forms of password theft and replay attacks.
For a demo of WebAuthn, visit https://webauthn.io/.
Understanding the relationship between FIDO Alliance and WebAuthn
After the release of its initial FIDO UAF and FIDO U2F specifications, the FIDO Alliance started a new journey to make FIDO Authentication more accessible to users worldwide. The Alliance developed three technical specifications that defined a web-based API, enabling FIDO Authentication to be built directly into browsers and platforms.
The FIDO Alliance decided to partner with the World Wide Web Consortium (W3C), the international standards organization for the World Wide Web, to standardize FIDO Authentication for the entire web platform. This standardization would grow the FIDO ecosystem by an entire community of web browsers and web application servers supporting the standard.
FIDO Alliance member companies submitted the FIDO specifications to the W3C for formal standardization in 2015. They then worked within the W3C to finalize the API, which became known as Web Authentication, or WebAuthn. WebAuthn was officially recognized as a W3C web standard in March 2019. Today, WebAuthn is part of the FIDO Alliance’s FIDO2 specifications and the FIDO Alliance runs certification programs to ensure compliance.
FIDO2: Client to Authenticator Protocol (CTAP)
The other component of FIDO2, Client to Authenticator Protocol (CTAP), is complementary to WebAuthn. It enables an external authenticator, such as a security key or a mobile phone, to work with browsers that support WebAuthn, and also to serve as an authenticator to desktop applications and web services.
Find more information on FIDO2 here.
Support for FIDO2: WebAuthn and CTAP
Browsers and Platforms
WebAuthn is currently supported in Google Chrome, Mozilla Firefox, Microsoft Edge and Apple Safari web browsers, as well as Windows 10 and Android platforms.
For developers with existing web pages or applications that are looking to implement FIDO2, there are two changes that you will have to make to your application: 1) modifying the login and registration pages of your website or mobile application to use the FIDO protocols; and 2) setup a FIDO server to authenticate any FIDO registration or authentication requests. Get a high-level overview of the steps to take for both of those changes here.
FIDO2 Testing and Certification
FIDO Alliance provides interoperability testing and certification for servers, clients and authenticators adhering to FIDO2 specifications. Additionally, the Alliance has introduced a new Universal Server certification for servers that interoperate with all FIDO authenticator types (FIDO UAF, WebAuthn, CTAP). As a best practice, the FIDO Alliance recommends online services and enterprises deploy a Universal Server to ensure support for all FIDO Certified authenticators.
Currently, there are many FIDO2 Certified solutions available to support a wide variety of use cases. These include FIDO Certified Universal Servers that support FIDO2 and all prior FIDO UAF and FIDO U2F devices for full backward compatibility with the full range of certified FIDO authenticators.
Start the testing and certification process here.
More information on FIDO2
Technical details about Web Authentication
Getting Started for Developers