The World Wide Web Consortium (W3C) and the FIDO (Fast IDentity Online) Alliance have announced that the Web Authentication specification is now an official web standard.
WebAuthn is a browser and platform standard for simpler and stronger authentication. Although it has only just been made official, it’s already supported in Windows 10, Android, and Chrome, Firefox, Edge and Safari browsers.
Commenting on the new standard, W3C and FIDO said:
“It’s common knowledge that passwords have outlived their efficacy. Not only are stolen, weak or default passwords behind 81 percent of data breaches, they are a drain of time and resources.”W3C and FIDO
WebAuthn means you can log into online accounts more securely using biometrics, mobile devices, or FIDO security keys. WC3 is recommending that web services and apps should turn on WebAuthn support to give users the option of logging in using biometrics, mobile devices or FIDO security keys.
Stolen, weak or default passwords behind an estimated 81 percent of data breaches, and traditional multi-factor authentication (MFA) solutions like SMS one-time codes are still vulnerable to phishing attacks, and suffer from low opt-in rates.
This background is behind the move to FIDO2. This combines WebAuthn and FIDO’s corresponding Client-to-Authenticator Protocol (CTAP).
FIDO2 cryptographic login credentials are unique across every website. The biometric information or more standard security info such as passwords never leave the user’s device and are never stored on a server. Users can log in with fingerprint readers, cameras, FIDO security keys, or their personal mobile device.
FIDO 2 also means that because the FIDO keys are unique for each Internet site, they cannot be used to track you across sites. Google announced in February that Android is now FIDO2-certified. For developers, enabling FIDO2 is a matter of a simple API call across all supported browsers and platforms. The FIDO Alliance has provided testing tools and launched a certification program.