Yesterday, the W3C and FIDO alliance approved using WebAuthn as an official web standard, eliminating password-based logins. WebAuthn or Web Authentication was first introduced in November 2015 as a way of replacing passwords for securing online accounts. It is now already supported by most browsers, including Chrome, Firefox, Edge, and Safari as well as in Android and Windows 10.
WebAuthn allows users to log into their internet accounts using biometrics, mobile devices, and/or FIDO security keys which offer higher security over passwords alone.
WebAuthn is an important component of the FIDO Alliance’s FIDO2 set of specifications. FIDO2 is a standard that supports public key cryptography and multifactor authentication. Per the official press release, FIDO2 attempts to address traditional authentication issues in four ways:
- Security: FIDO2 cryptographic login credentials are unique across every website; biometrics or other secrets like passwords never leave the user’s device and are never stored on a server. This security model eliminates the risks of phishing, all forms of password theft, and replay attacks.
- Convenience: Users log in with simple methods such as fingerprint readers, cameras, FIDO security keys, or their personal mobile device.
- Privacy: Because FIDO keys are unique for each internet site, they cannot be used to track users across sites.
- Scalability: Websites can enable FIDO2 via an API call across all supported browsers and platforms on billions of devices consumers use every day.
“Web Authentication as an official web standard is the pinnacle of many years of industry collaboration to develop a practical solution for stronger authentication on the web,” said Brett McDowell, executive director of the FIDO Alliance in a statement. “With this milestone, we’re moving into a new era of ubiquitous, hardware-backed FIDO Authentication protection for everyone using the internet.”
WebAuthn is already implemented on sites such as Dropbox, Facebook, GitHub, Salesforce, Stripe, and Twitter. With it becoming the official standard, it is expected to have other sites use it leading to more password-free logins across the web.