W3C and FIDO Alliance Finalize Web Standard for Secure, Passwordless Logins

Major Browsers and Platforms Have Built-In Support for New Web Standard for Easy and Secure Logins via Biometrics, Mobile Devices and FIDO Security Keys

The World Wide Web Consortium (W3C) and the FIDO Alliance announced the Web Authentication (WebAuthn) specification is now an official web standard. This advancement is a major step forward in making the web more secure— and usable—for users around the world.

W3C’s WebAuthn Recommendation, a core component of the FIDO Alliance’s FIDO2 set of specificationsⁱ, is a browser/platform standard for simpler and stronger authentication. It is already supported in Windows 10, Android, and Google Chrome, Mozilla Firefox, Microsoft Edge and Apple Safari (preview) web browsers. WebAuthn allows users to log into their internet accounts using their preferred device. Web services and apps can — and should—turn on this functionality to give their users the option to log in more easily via biometrics, mobile devices and/or FIDO security keys, and with much higher security over passwords alone.

Read More: How to Ensure AI Doesn’t Make Your Customers Hate You

“Now is the time for web services and businesses to adopt WebAuthn to move beyond vulnerable passwords and help web users improve the security of their online experiences,” said Jeff Jaffe, W3C CEO. “W3C’s Recommendation establishes web-wide interoperability guidance, setting consistent expectations for web users and the sites they visit. W3C is working to implement this best practice on its own site.”

A user-friendly solution to password theft, phishing and replay attacks

It’s common knowledge that passwords have outlived their efficacy. Not only are stolen, weak or default passwords behind 81 percent of data breaches, they are a drain of time and resources. According to a recent Yubico study, users spend 10.9 hours per year entering and/or resetting passwords, which costs companies an average of $5.2 million annually. While traditional multi-factor authentication (MFA) solutions like SMS one-time codes add another layer of security, they are still vulnerable to phishing attacks, aren’t simple to use and suffer from low opt-in rates.

Read More: Brands that Realize the Potential of Augmented Reality

With FIDO2 and WebAuthn, the global technology community has come together to provide a shared solution to the shared password problem. FIDO2 addresses all of the issues of traditional authentication:

• Security: FIDO2 cryptographic login credentials are unique across every website, biometrics or other secrets like passwords never leave the user’s device and are never stored on a server. This security model eliminates the risks of phishing, all forms of password theft and replay attacks.
• Convenience: Users log in with simple methods such as fingerprint readers, cameras, FIDO security keys, or their personal mobile device.
• Privacy: Because FIDO cryptographic keys are unique for each internet site, they cannot be used to track users across sites.
• Scalability: websites can enable FIDO2 via simple API call across all of supported browsers and platforms on billions of devices consumers use every day.

“The Web Authentication component of FIDO2 is now an official web standard from W3C, an important achievement that represents many years of industry collaboration to develop a practical solution for phishing-resistant authentication on the web,” said Brett McDowell, executive director of the FIDO Alliance. “With this milestone, we’re moving into the next phase of our shared mission to deliver  simpler, stronger authentication to everyone using the internet today, and for years to come.”

Read More: Cyxtera Reveals Research Finding IoT Devices Under Constant Attack