W3C and FIDO Alliance Finalize Web Standard for Secure, Passwordless Logins
Major browsers and platforms have built-in support for new web standard for easy and secure logins via biometrics, mobile devices and FIDO security keys
MOUNTAIN VIEW, Calif., and https://www.w3.org/, March 4, 2019 – The World Wide Web Consortium (W3C) and the FIDO Alliance today announced the Web Authentication (WebAuthn) specification is now an official web standard. This advancement is a major step forward in making the web more secure – and usable – for users around the world.
W3C’s WebAuthn Recommendation, a core component of the FIDO Alliance’s FIDO2 set of specifications[i], is a browser/platform standard for simpler and stronger authentication. It is already supported in Windows 10, Android, and Google Chrome, Mozilla Firefox, Microsoft Edge and Apple Safari (preview) web browsers. WebAuthn allows users to log into their internet accounts using their preferred device. Web services and apps can – and should – turn on this functionality to give their users the option to log in more easily via biometrics, mobile devices and/or FIDO security keys, and with much higher security over passwords alone.
“Now is the time for web services and businesses to adopt WebAuthn to move beyond vulnerable passwords and help web users improve the security of their online experiences,” said Jeff Jaffe, W3C CEO. “W3C’s Recommendation establishes web-wide interoperability guidance, setting consistent expectations for web users and the sites they visit. W3C is working to implement this best practice on its own site.”
A user-friendly solution to password theft, phishing and replay attacks
It’s common knowledge that passwords have outlived their efficacy. Not only are stolen, weak or default passwords behind 81 percent of data breaches, they are a drain of time and resources. According to a recent Yubico study, users spend 10.9 hours per year entering and/or resetting passwords, which costs companies an average of $5.2 million annually. While traditional multi-factor authentication (MFA) solutions like SMS one-time codes add another layer of security, they are still vulnerable to phishing attacks, aren’t simple to use and suffer from low opt-in rates.
With FIDO2 and WebAuthn, the global technology community has come together to provide a shared solution to the shared password problem. FIDO2 addresses all of the issues of traditional authentication:
- Security: FIDO2 cryptographic login credentials are unique across every website, biometrics or other secrets like passwords never leave the user’s device and are never stored on a server. This security model eliminates the risks of phishing, all forms of password theft and replay attacks.
- Convenience: Users log in with simple methods such as fingerprint readers, cameras, FIDO security keys, or their personal mobile device.
- Privacy: Because FIDO cryptographic keys are unique for each internet site, they cannot be used to track users across sites.
- Scalability: websites can enable FIDO2 via simple API call across all of supported browsers and platforms on billions of devices consumers use every day.
“The Web Authentication component of FIDO2 is now an official web standard from W3C, an important achievement that represents many years of industry collaboration to develop a practical solution for phishing-resistant authentication on the web,” said Brett McDowell, executive director of the FIDO Alliance. “With this milestone, we’re moving into the next phase of our shared mission to deliver simpler, stronger authentication to everyone using the internet today, and for years to come.”
TWEET THIS: #WebAuthn is an official web standard via @w3c @FIDOAlliance. This is a major step forward in making the web more secure — and usable — for users around the world https://fidoalliance.org/w3c-and-fido-alliance-finalize-web-standard-for-secure-passwordless-logins
For services providers and vendors ready to get started with FIDO2 specifications and browser/platform support, the FIDO Alliance has provided testing tools and launched a certification program. Currently, there are many FIDO2 Certified solutions available to support a wide variety of use cases. These include FIDO Certified Universal Servers that support FIDO2 and all prior FIDO UAF and FIDO U2F devices for full backward compatibility with the full range of certified FIDO authenticators.
About the FIDO Alliance
The FIDO (Fast IDentity Online) Alliance, fidoalliance.org was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO authentication is stronger, private, and easier to use when authenticating to online services.
About the W3C
The mission of the World Wide Web Consortium (W3C) is to lead the Web to its full potential by creating technical standards and guidelines to ensure that the Web remains open, accessible, and interoperable for everyone around the globe. W3C develops well known specifications such as HTML5, CSS, and the Open Web Platform as well as work on security and privacy, all created in the open and provided for free and under the unique W3C Patent Policy. For its work to make online videos more accessible with captions and subtitles, W3C received a 2016 Emmy Award.
W3C’s vision for “One Web” brings together thousands of dedicated technologists representing more than 400 Member organizations and dozens of industry sectors. W3C is jointly hosted by the MIT Computer Science and Artificial Intelligence Laboratory (MIT CSAIL) in the United States, the European Research Consortium for Informatics and Mathematics (ERCIM) headquartered in France, Keio University in Japan and Beihang University in China. For more information see https://www.w3.org/.
FIDO Alliance PR Contact
Montner Tech PR
W3C PR Contact
Amy van der Hiel
W3C Media Relations Coordinator
1.617.253.5628 (US, Eastern Time)
Duo Security (Cisco)
“The WebAuthn specification is a major and collaborative leap forward in the evolution of simpler, stronger user authentication. As pioneers in the authentication space, Duo Security knows that for security to be effective, it has to be easy. WebAuthn’s security and privacy protections, built-in phishing resistance and ease-of-use give it the potential to drive widespread adoption across enterprise and consumer markets, making everyone safer as a result. True passwordless authentication has been sought for a long time – today, we’re closer to realizing that goal with WebAuthn.” – James Barclay, Senior R&D Engineer, Duo Security, a Cisco business unit
“The fact that users get phished is not really their failing. It was a gap in the internet infrastructure that made them vulnerable. With today’s announcement, the internet community is closing that gap. The internet infrastructure now has the tools to provide user friendly phishing-resistant authentication at scale. Google has been part of this journey since the earliest days, we introduced Security Key based authentication in 2014, the Advanced Protection Program in 2017, and the Titan Security Key in 2018. Now with W3C WebAuthn and FIDO2 client support coming across all major client platforms, an expanded set of capabilities is enabled. We look forward to leveraging these to offer our users additional new intuitive login experiences that are phishing-resistant.” – Sam Srinivas, Product Management Director, Google and President, FIDO Alliance
“Our work with W3C and FIDO Alliance, and contributions to FIDO2 standards have been a critical piece of Microsoft’s commitment to a world without passwords, which started in 2015. Today, Windows 10 with Microsoft Edge fully supports the WebAuthn standard and millions of users can log in to their Microsoft account without using a password.” – Alex Simons, Corporate Vice President, Program Management, Microsoft Identity Division
“Out of all multi-factor authentication solutions I know of, Web Authentication is our best technical response to the scourge of phishing. Protecting individuals’ privacy and security is fundamental to Mozilla, and Web Authentication plays a key role in that protection. Mozilla supports the advancement of Web Authentication, and its end-goal of a phishing-free future for all the web.” – J.C. Jones, Cryptography Engineer, Mozilla
Nok Nok Labs
“Providing an alternative to phishable and inconvenient passwords that works across devices, apps, browsers, and websites has been the mission of Nok Nok Labs since our inception. The Web Authentication API is an important step towards the goal of enabling simple and strong authentication on the devices we use in our daily lives. It is imperative that the industry as a whole continues to add support for FIDO Authentication into all platforms to better protect consumers in our digital world.” – Rolf Lindemann, Sr. Director of Products at Nok Nok Labs
“Today’s standardization of W3C’s WebAuthn marks a milestone in the history of open authentication standards and internet security. Together, we achieved the near-impossible: the creation of a global standard supported by all platforms and browsers. Yubico is grateful to be a part of this journey and we look forward to the possibilities this is going to open for seamless, ubiquitous security for all internet users.” – Stina Ehrensvard, CEO and Founder, Yubico
[i] FIDO2 is comprised of the W3C’s Web Authentication specification (WebAuthn) and FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP)
An Update from FIDO Alliance on Authenticate Conference
Authenticate Event Team Authenticate, the inaugural FIDO conference, will be...March 27, 2020
Financial Action Task Force Guidance Points to FIDO as Preferred Approach to Combat Authentication Vulnerabilities
This month, the Financial Action Task Force (FATF) released its...March 18, 2020
Agenda Announced for Authenticate 2020, the First FIDO Conference
Note: Authenticate, the inaugural FIDO conference, has been postponed from...February 26, 2020