W3C Using FIDO To Improve Password-Based Web Security -- Redmondmag.com

W3C Using FIDO To Improve Password-Based Web Security

By Kurt Mackie
02/19/2016

The World Wide Web Consortium (W3C) announced this week that it has formed a new Web Authentication Working Group to improve Web access security.

The group will devise a new standard aimed at supplanting the current reliance on passwords for Web authentications. Its activities will complement the W3C's Web Application Security and Web Cryptography efforts. The first meeting of the new Web Authentication Working Group will take place in San Francisco on March 4.

The efforts of the Web Authentication Working Group will be based, in part, on Fast IDentity Online (FIDO) 2.0 Web APIs. Those APIs already have been submitted to the W3C by the FIDO Alliance, an industry coalition.

The FIDO Alliance started out as effort to use biometrics for Web authentications. It was initiated by PayPal and various hardware makers in 2012. Later, the FIDO Alliance adopted an open standard for Web authentications championed by Google and other companies.

The current FIDO specifications outline a public key-private key authentication service in which the private key always stays with the device. Access to the private key gets unlocked by the user. That's done by entering a personal identification number (PIN) or biometrics can be used, such as a finger swipe on a device. This approach purportedly makes the public password useless by itself, which could serve as a security deterrent.

"This approach dramatically alters the economics of attacks on service providers and their password stores," a recent PayPal blog post explained. "For each service provider that a user interacts with, a unique private/public key pair is generated. Not only does this ensure that service providers are unable to use protocol artifacts to collude in user-unwanted ways, it renders the public key store of little to no value to fraudsters. Attacks at scale through exfiltration of passwords are no longer a viable means of generating revenue -- the ultimate goal of fraudsters."

Microsoft currently supports FIDO 2.0 in Windows 10, particularly with its Windows Hello biometric security feature. Intel also has a similar authentication solution based on its sixth-generation firmware. The Intel Authenticate solution supports multifactor authentication for PCs. It uses Microsoft's Windows Hello solution to support the biometric verification process.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.