W3C and FIDO Alliance Finalize Web Standard (WebAuthn) for Secure, Passwordless Logins

From the World Wide Web Consortium (W3C) and the FIDO Alliance:

The World Wide Web Consortium (W3C) and the FIDO Alliance today announced the Web Authentication (WebAuthn) specification is now an official web standard. This advancement is a major step forward in making the web more secure— and usable—for users around the world.

W3C’s WebAuthn Recommendation, a core component of the FIDO Alliance’s FIDO2 set of specifications, is a browser/platform standard for simpler and stronger authentication. It is already supported in Windows 10, Android, and Chrome, Firefox, Edge and Safari Web browsers. WebAuthn allows users to log into their internet accounts using their preferred device. Web services and apps can — and should—turn on this functionality to give their users the option to log in more easily via biometrics, mobile devices and/or FIDO security keys, and with much higher security over passwords alone.

[Clip]

According to a recent Yubico study, users spend 10.9 hours per year entering and/or resetting passwords, which costs companies an average of $5.2 million annually. While traditional multi-factor authentication (MFA) solutions like SMS one-time codes add another layer of security, they are still vulnerable to phishing attacks, aren’t simple to use and suffer from low opt-in rates.

FIDO2 addresses all of the issues with traditional authentication:

• Security: FIDO2 cryptographic login credentials are unique across every website, biometrics or other secrets like passwords never leave the user’s device and are never stored on a server. This security model eliminates the risks of phishing, all forms of password theft and replay attacks.
• Convenience: Users log in with convenient methods such as fingerprint readers, cameras, FIDO security keys, or their personal mobile device.
• Privacy: Because FIDO keys are unique for each Internet site, they cannot be used to track you across sites.
• Scalability: websites can enable FIDO2 via simple API call across all supported browsers and platforms on billions of devices consumers use every day.

Read the Complete Announcement

Filed under: News, Patrons and Users