W3C Using FIDO To Improve Password-Based Web Security

The World Wide Web Consortium (W3C) announced this week that it has formed a new Web Authentication Working Group to improve Web access security.

The group will devise a new standard aimed at supplanting the current reliance on passwords for Web authentications. Its activities will complement the W3C's Web Application Security and Web Cryptography efforts. The first meeting of the new Web Authentication Working Group will take place in San Francisco on March 4.

The efforts of the Web Authentication Working Group will be based, in part, on Fast IDentity Online (FIDO) 2.0 Web APIs. Those APIs already have been submitted to the W3C by the FIDO Alliance, an industry coalition.

The FIDO Alliance started out as effort to use biometrics for Web authentications. It was initiated by PayPal and various hardware makers in 2012. Later, the FIDO Alliance adopted an open standard for Web authentications championed by Google and other companies.

The current FIDO specifications outline a public key-private key authentication service in which the private key always stays with the device. Access to the private key gets unlocked by the user. That's done by entering a personal identification number (PIN) or biometrics can be used, such as a finger swipe on a device. This approach purportedly makes the public password useless by itself, which could serve as a security deterrent.

"This approach dramatically alters the economics of attacks on service providers and their password stores," a recent PayPal blog post explained. "For each service provider that a user interacts with, a unique private/public key pair is generated. Not only does this ensure that service providers are unable to use protocol artifacts to collude in user-unwanted ways, it renders the public key store of little to no value to fraudsters. Attacks at scale through exfiltration of passwords are no longer a viable means of generating revenue -- the ultimate goal of fraudsters."

Microsoft currently supports FIDO 2.0 in Windows 10, particularly with its Windows Hello biometric security feature. Intel also has a similar authentication solution based on its sixth-generation firmware. The Intel Authenticate solution supports multifactor authentication for PCs. It uses Microsoft's Windows Hello solution to support the biometric verification process.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Windows 10 Mobile To Fall Out of Support in December

    Microsoft will end support for the Windows 10 Mobile operating system on Dec. 10, 2019, according to an announcement.

  • Get More Out of Your Outlook Inbox with TakeNote

    Brien comes across a handy, but imperfect, feature in Outlook that lets you annotate specific e-mails. Its provenance is something of a mystery, though.

  • Microsoft Resumes Rerelease of Windows 10 Version 1809

    Microsoft on Wednesday once more resumed its general rollout of the Windows 10 version 1809 upgrade, also known as the "October 2018 Update."

  • Microsoft Ups Its Windows 10 App Compatibility Assurances

    Microsoft gave assurances this week that organizations adopting Windows 10 likely won't face application compatibility issues.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.