In among the most significant steps taken so far to bring to an end the widespread use of passwords, the World Wide Web Consortium (W3C) and the FIDO Alliance have made the new Web Authentication specification the official standard for authentication for accounts on web services and applications.
The new WebAuthn API allows people to log in to web services and apps via biometrics, mobile devices and/or FIDO security keys and offers enhanced security, convenience, privacy and scalability to billions of Internet users across the globe.
For example, cryptographic login credentials generated using WebAuthn are unique for every website a user logs in to, thereby preventing cyber-criminals from carrying out credential-stuffing attacks to compromise multiple accounts belonging to the same person. Another helpful feature of WebAuthn is that biometric data or passwords never leave the user’s device and are never stored on a server, thereby eliminating all forms of password theft as well.
According to FIDO Alliance, it has been known for several years that passwords are not foolproof mechanisms to secure people's accounts with e-commerce firms, e-mail service providers, banks, or social media platforms. In the past couple of years, a number of mega data breaches have compromised passwords of hundreds of millions of Internet users across the globe and so far, stolen, weak or default passwords have been behind 81 percent of data breaches.
The arrival of Web Authn, therefore, gives people a chance to migrate away from passwords to a more secure way to secure their accounts. The fact that WebAuthn API is already supported in Windows 10, Android, and Google Chrome, Mozilla Firefox, Microsoft Edge and Apple Safari web browsers will make it a lot easier and convenient for websites to provide this option to users to log in more easily via biometrics, mobile devices or FIDO security keys.
"The Web Authentication component of FIDO2 is now an official web standard from W3C, an important achievement that represents many years of industry collaboration to develop a practical solution for phishing-resistant authentication on the web. With this milestone, we’re moving into the next phase of our shared mission to deliver simpler, stronger authentication to everyone using the internet today, and for years to come," said Brett McDowell, executive director of the FIDO Alliance.
Commenting on the standardisation of WebAuthn API, James Barclay, senior R&D engineer at Duo Security told SC Magazine UK that the WebAuthn specification is a major and collaborative leap forward in the evolution of simpler, stronger user authentication.
"As pioneers in the authentication space, Duo Security knows that for security to be effective, it has to be easy. WebAuthn’s security and privacy protections, built-in phishing resistance and ease-of-use give it the potential to drive widespread adoption across enterprise and consumer markets, making everyone safer as a result.
"True passwordless authentication has been sought for a long time - today, we’re closer to realising that goal with WebAuthn," he added.
Is Zero Trust really achievable given the complexity in finance service organisations?
Brought to you in partnership with Forescout