Important alert: there are going to be a lot of three-letter-acronyms in this post (and the odd four-letter one as well)
News this morning from the FIDO Alliance and W3C relating to a new standard for browser-based web authentication. First some background. Although it sounds like a dog food lobby group, the FIDO Alliance (FIDO stands for fast identity online) was formed back in 2012 to resolve the issues around the plethora of different authentication technologies, and specifically to create a degree of interoperability between them all.
For its past, the W3C (world wide web consortium) is a group that focuses on creating technical standards and guidelines to ensure that “the Web remains open, accessible, and interoperable for everyone around the globe.” W3C is responsible for such well-known specifications as HTML5 and CSS, among others.
So here we have two organizations that intersect in the worlds of authentication and open web standards. Hence it makes a whole lot of sense that the two are collaborating on the new Web Authentication (WebAuthn) standard.
What is it?
WebAuthn is intended to bring simpler, but at the same time stronger, web authentication to users. The standard will allow the FIDO Authentication protocol – already widely used via hardware devices and on physical machines, to be deployed via web browsers. Once deployed, people can access web services securely through the browser by touching a fingerprint sensor, looking at a camera or inserting a security key, in place of, or in addition to entering a password – from their mobile phone or PC.
WebAuthn has been developed in coordination with FIDO Alliance and is a core component of the FIDO2 Project along with FIDO’s Client to Authenticator Protocol (CTAP) specification. CTAP enables an external authenticator, such as a security key or a mobile phone, to communicate authentication credentials locally over USB, Bluetooth or NFC to the user’s internet access device (PC or mobile phone). The FIDO2 specifications collectively enable users to authenticate easily to online services with desktop or mobile devices with phishing-resistant security.
Why is this important?
Well, security, duh! We all know that Two Factor Authentication (2FA) is a key tool in ensuring higher levels of security for individuals’ data. But 2FA adds complexity and time to authentication. FIDO aims to reduce the on-ramp to 2FA and WebAuthn will do this even further. Says W3C CEO Jeff Jaffe:
Security on the web has long been a problem which has interfered with the many positive contributions the web makes to society. While there are many web security problems and we can’t fix them all, relying on passwords is one of the weakest links. With WebAuthn’s multi-factor solutions we are eliminating this weak link. WebAuthn will change the way that people access the web.
Another standard that no one supports?
But standards, without support, are irrelevant. The two organizations involved with this initiative have done their groundwork and have gotten the major players on board – Google, Microsoft, Mozilla, and Opera have committed to supporting the WebAuthn standard in their browsers.
Today this functionality is available in Firefox and will reportedly be rolled out natively in Chrome and Edge over the next few months. WebAuthn specifications are available today, enabling developers and vendors to get a jumpstart on building support for the next generation of FIDO Authentication into their products and services.
MyPOV
What’s not to like? I live my life in a browser, so natively delivering stronger, yet simpler, authentication within that userspace makes total sense. I love my little Yubikey and how it keeps me safer in my digital life, this new standard will do so even more.
