Password-Free Logins Getting Closer to Becoming a Reality

WebAuthn, with the approval of the World Wide Web Consortium (W3C) and the FIDO Alliance, just became an official web standard for password-free logins. After W3C and the FIDO Alliance first introduced it in November 2015, WebAuthn gained the support of many W3C contributors including Airbnb, Alibaba, Apple, Google, IBM, Intel, Microsoft, Mozilla, PayPal, SoftBank, Tencent and Yubico. With WebAuthn, which is supported by Android and Windows 10, users can log-in via biometrics, mobile devices or FIDO security keys.

VentureBeat reports that browsers “Google Chrome, Mozilla Firefox, and Microsoft Edge all added support last year … [and] Apple has supported WebAuthn in preview versions of Safari since December.”

“Now is the time for web services and businesses to adopt WebAuthn to move beyond vulnerable passwords and help web users improve the security of their online experiences,” said W3C chief executive Jeff Jaffe. “W3C’s Recommendation establishes web-wide interoperability guidance, setting consistent expectations for web users and the sites they visit.”

W3C is in the process of adopting WebAuthn on its own site; Dropbox, Facebook, GitHub, Salesforce, Stripe, and Twitter have already adopted it.

The FIDO Alliance, with its FIDO2 specifications, doesn’t want to stop at obsoleting passwords for websites, but wants to “kill the password everywhere, a goal it has been working on for years and will likely still be working on for years to come.” FIDO2, which is a core component of WebAuthn, “is a standard that supports public key cryptography and multifactor authentication — specifically, the Universal Authentication Framework (UAF) and Universal Second Factor (U2F) protocols.” The FIDO Alliance also offers “testing tools and a certification program.”

It addresses “traditional authentication issues in four ways.” With security, “FIDO2 cryptographic login credentials are unique across every website; biometrics or other secrets like passwords never leave the user’s device and are never stored on a server … [which] eliminates the risks of phishing, all forms of password theft, and replay attacks.”

It offers convenience, as users can log in “with simple methods such as fingerprint readers, cameras, FIDO security keys, or their personal mobile device,” and privacy “because FIDO keys are unique for each Internet site … [and] cannot be used to track users across sites.” Last, scalability is supported because websites can “enable FIDO2 via an API call across all supported browsers and platforms on billions of devices consumers use every day.”

The creation of WebAuthn as a standard, said FIDO Alliance executive director Brett McDowell, is a milestone. “We’re moving into the next phase of our shared mission to deliver simpler, stronger authentication to everyone using the Internet today, and for years to come,” he added.