W3C Affirms WebAuthn Standard for Authentications Without Passwords

The World Wide Web Consortium (W3C) announced on Monday that the Web Authentication (WebAuthn) specification is now considered to be an official W3C standard, which likely will accelerate passwordless authentications for Web transactions.

The W3C's WebAuthn works with Fast IDentity Online 2.0 (FIDO2) specifications devised by the FIDO Alliance, an industry coalition formed in 2012 to support stronger Web authentications that aren't dependent on passwords. For its part, the FIDO Alliance is bringing its Client To Authenticator (CTAP) protocol, currently at CTAP 2, to work alongside the W3C's WebAuthn.

Instead of depending on a password to verify a user's identity, which can get intercepted or phished and then used by an attacker, the new passwordless scheme depends on using a Trusted Platform Module to authenticate user identities. The Trusted Platform Module can be implemented via hardware or software.

This user authentication scheme uses a FIDO security key. These keys are "unique for each Internet site" and can't be tracked. They get implemented via a fingerprint authenticator, a personal ID number or even a face scan on a mobile device. In either case, the user's private key stays on the device and isn't sent out to a server.

Here's how the W3C's announcement described it:

FIDO2 cryptographic login credentials are unique across every website, [and] biometrics or other secrets like passwords never leave the user's device and are never stored on a server. This security model eliminates the risks of phishing, all forms of password theft and replay attacks.

This approach avoids the use of one-time SMTP passwords for user authentications, which can be phished, according to a FIDO Alliance talk, "Demos from Google and Microsoft," available at this page.

Currently, WebAuthn "is already supported in Windows 10Android, and Google Chrome, Mozilla Firefox, Microsoft Edge and Apple Safari (preview) Web browsers," the W3C's announcement indicated. In the "Demos" talk, it was explained by Brett McDowell, executive director of the FIDO Alliance, that organizations with Web sites won't have to worry if a user has a FIDO-embedded device because the standard is supported in every browser.

There are a couple of requirements for organizations to implement WebAuthn. First, they need to have an application server that's able to process FIDO2. Second, the Web site page has to make a call to the browser API. But that's all that's needed, according to McDowell.

The FIDO Alliance has a certification program. It includes a segment for FIDO Certified Universal Servers, which will verify support for "FIDO2 and all prior UAF and U2F devices for full backward compatibility with the full range of certified FIDO authenticators." Universal Authentication Framework (UAF) and Universal 2nd Factor (U2F) are the earlier CTAP 1 specifications that were published by the FIDO Alliance back in 2014.

Microsoft had indicated back in November that it supported FIDO2 in Windows 10 version 1809 with a Microsoft account and the Microsoft Edge browser, a capability that it was rolling out worldwide. Organizations wanting to use the capability would need to buy a security key supporting the FIDO2 standard, as described in this document. They'd also need a hardware- or software-based Trusted Platform Module on the device to store the keys. FIDO2 support also will be coming to Azure Active Directory for either work or school accounts, Microsoft had promised.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Microsoft Warns SameSite Cookie Changes Could Break Some Apps

    IT pros could face Web application issues as early as next month with the implementation of a coming SameSite Web change, which will affect how cookies are used across sites.

  • Populating a SharePoint Document Library by E-Mail, Part 1

    While Microsoft doesn't allow you to build a SharePoint Online document library using e-mail, there is a roundabout way of getting the job done using the tools that are included with Office 365. Brien shows you how.

  • Microsoft Previews New App Reporting and Consent Tools in Azure AD

    Microsoft last week described a few Azure Active Directory improvements for organizations wanting to connect their applications to Microsoft's identity and access service.

  • Free Software Foundation Asks Microsoft To Release Windows 7 Code

    The Free Software Foundation this week announced that it has established a petition demanding that Microsoft release its proprietary Windows 7 code as free software.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.