The World Wide Web Consortium (W3C) and the FIDO (Fast IDentityOnline) Alliance have announced that the Web Authenticationspecification is now an official web standard.
WebAuthn is a browser and platform standard for simpler and stronger authentication. Although it has only just been made official, it’s already supported in Windows 10, Android, and Chrome, Firefox, Edge and Safari browsers.
Commenting on the new standard, W3C and FIDO said:
“It’s common knowledge that passwords have outlived their efficacy. Not only are stolen, weak or default passwords behind 81 percent of data breaches, they are a drain of time and resources.”W3C and FIDO
WebAuthn means you can log into online accounts more securely usingbiometrics, mobile devices, or FIDO security keys. WC3 is recommendingthat web services and apps should turn on WebAuthn support to give users the option of logging in using biometrics, mobile devices or FIDOsecurity keys.
Stolen, weak or default passwords behind an estimated 81 percent ofdata breaches, and traditional multi-factor authentication (MFA)solutions like SMS one-time codes are still vulnerable to phishingattacks, and suffer from low opt-in rates.
This background is behind the move to FIDO2. This combines WebAuthn and FIDO’s corresponding Client-to-Authenticator Protocol (CTAP).
FIDO2 cryptographic login credentials are unique across everywebsite. The biometric information or more standard security info suchas passwords never leave the user’s device and are never stored on aserver. Users can log in with fingerprint readers, cameras, FIDOsecurity keys, or their personal mobile device.
FIDO 2 also means that because the FIDO keys are unique for each Internet site, they cannot be used to track you across sites. Google announced in February that Android is now FIDO2-certified. For developers, enabling FIDO2 is a matter of a simple API call across all supported browsers and platforms. The FIDO Alliance has provided testing tools and launched a certification program.