March 6, 2019 weblog
FIDO, W3C show strong and simple are not opposites for user authentication
File under New and Official. After you check out this week's headlines for WebAuthn and W3C. The latter stands for Worldwide Web Consortium. The WebAuthn is now an official web standard. Backers say the specification marks a major step forward in making the web more secure and usable around the world.
Authentication is both easy and strong. Cheerleaders call it "change for the better." For all those who think passwords are a pain but were resigned to doing the necessary, the announcement is about a password-free login standard.
W3C said WebAuthn is now an official web standard, and it is on track to be supported by all major platforms and browsers. WebAuthn is supported by Android and Windows 10. Browsers including Chrome, Firefox, and Microsoft Edge added support.
You cross the welcome mat using a biometric such as fingerprints; security keys. "Now is the time for web services and businesses to adopt WebAuthn to move beyond vulnerable passwords and help web users improve the security of their online experiences," said Jeff Jaffe, W3C CEO.
What would search technology royalty have to say about the standard?
Google offered its take: "The fact that users get phished is not really their failing. It was a gap in the internet infrastructure that made them vulnerable. With today's announcement, the internet community is closing that gap. The internet infrastructure now has the tools to provide user friendly phishing-resistant authentication at scale."
W3C stated that "Web services and apps can—and should—turn on this functionality to give their users the option to log in more easily via biometrics, mobile devices and/or FIDO security keys."
The W3C and FIDO Alliance are both involved in this commitment to the new standard so that users can have "passwordless" logins that are nonetheless secure. FIDO stands for Fast IDentity Online.
Emil Protalinski in VentureBeat can help explain the mission.
"W3C's WebAuthn recommendation is a core component of the FIDO Alliance's FIDO2 set of specifications. FIDO2 is a standard that supports public key cryptography and multifactor authentication."
FIDO2 cryptographic login credentials are unique across every website.
"The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords."
FIDO protocols use standard public key cryptography techniques for authentication.
This model was designed to fight attacks such as phishing and password theft.
"While traditional multi-factor authentication (MFA) solutions like SMS one-time codes add another layer of security, they are still vulnerable to phishing attacks, aren't simple to use and suffer from low opt-in rates." What is more, "stolen, weak or default passwords are behind 81 percent of data breaches," said the W3C news release on Monday.
W3C is hosted by MIT CSAIL, the European Research Consortium for Informatics and Mathematics (ERCIM), Keio University and Beihang University.
So what is the verdict? Overnight world domination is not likely. It may take some time. TECHnalysis Research analyst Bob O'Donnell offered his opinion in TechSpot: "To fully take advantage of WebAuthn, websites will have to build-in support for it—it won't automatically rid us of passwords—but now that a W3C standard is in place, that process should move more quickly."
Engadget's Jon Fingas weighed in: "The greater challenge is convincing the sites themselves to use this method—there are many, many web pages, and not all of them will be in a rush to ditch passwords." This might be a good step, though, considering it is an official standard, which, remarked Fingas, could reassure site operators.
© 2019 Science X Network