News

W3C Affirms WebAuthn Standard for Authentications Without Passwords

• By Kurt Mackie
• 03/04/2019

The World Wide Web Consortium (W3C) announced on Monday that the Web Authentication (WebAuthn) specification is now considered to be an official W3C standard, which likely will accelerate passwordless authentications for Web transactions.

The W3C's WebAuthn works with Fast IDentity Online 2.0 (FIDO2) specifications devised by the FIDO Alliance, an industry coalition formed in 2012 to support stronger Web authentications that aren't dependent on passwords. For its part, the FIDO Alliance is bringing its Client To Authenticator (CTAP) protocol, currently at CTAP 2, to work alongside the W3C's WebAuthn.

Instead of depending on a password to verify a user's identity, which can get intercepted or phished and then used by an attacker, the new passwordless scheme depends on using a Trusted Platform Module to authenticate user identities. The Trusted Platform Module can be implemented via hardware or software.

This user authentication scheme uses a FIDO security key. These keys are "unique for each Internet site" and can't be tracked. They get implemented via a fingerprint authenticator, a personal ID number or even a face scan on a mobile device. In either case, the user's private key stays on the device and isn't sent out to a server.

Here's how the W3C's announcement described it:

FIDO2 cryptographic login credentials are unique across every website, [and] biometrics or other secrets like passwords never leave the user's device and are never stored on a server. This security model eliminates the risks of phishing, all forms of password theft and replay attacks.

This approach avoids the use of one-time SMTP passwords for user authentications, which can be phished, according to a FIDO Alliance talk, "Demos from Google and Microsoft," available at this page.

Currently, WebAuthn "is already supported in Windows 10, Android, and Google Chrome, Mozilla Firefox, Microsoft Edge and Apple Safari (preview) Web browsers," the W3C's announcement indicated. In the "Demos" talk, it was explained by Brett McDowell, executive director of the FIDO Alliance, that organizations with Web sites won't have to worry if a user has a FIDO-embedded device because the standard is supported in every browser.

There are a couple of requirements for organizations to implement WebAuthn. First, they need to have an application server that's able to process FIDO2. Second, the Web site page has to make a call to the browser API. But that's all that's needed, according to McDowell.

The FIDO Alliance has a certification program. It includes a segment for FIDO Certified Universal Servers, which will verify support for "FIDO2 and all prior UAF and U2F devices for full backward compatibility with the full range of certified FIDO authenticators." Universal Authentication Framework (UAF) and Universal 2nd Factor (U2F) are the earlier CTAP 1 specifications that were published by the FIDO Alliance back in 2014.

Microsoft had indicated back in November that it supported FIDO2 in Windows 10 version 1809 with a Microsoft account and the Microsoft Edge browser, a capability that it was rolling out worldwide. Organizations wanting to use the capability would need to buy a security key supporting the FIDO2 standard, as described in this document. They'd also need a hardware- or software-based Trusted Platform Module on the device to store the keys. FIDO2 support also will be coming to Azure Active Directory for either work or school accounts, Microsoft had promised.