The FIDO (Fast Identity Online) Alliance and the World Wide Web Consortium (W3C) announce a "major standards milestone" with Web Authentication (WebAuthn)-- a password-free protocol currently in Candidate Recommendation (CR) stage.
WebAuthn is a standard web API allowing users to securely authenticate online, in the browser and across sites and devices. It is a core component of the FIDO2 specification project (the next generation of the U2F and UAF standards) together with the Client to Authenticator Protocol (CTAP), the specification allowing external authenticators to communicate strong authentication credentials locally via USB, Bluetooth or NFC to a PC or smartphone.
The result is specifications allowing users to communicate with online services with phishing-resistant security and simpler means of authentication. The WebAuthn API runs on browsers and related web platform infrastructure, and enables unique public key-based credentials for each site. As such, a password stolen from one website cannot be used in another.
"With the new FIDO2 specifications and leading web browser support announced today, we are taking a big step forward towards making FIDO Authentication ubiquitous across all platforms and devices," the FIDO Alliance says. "After years of increasingly severe data breaches and password credential theft, now is the time for service providers to end their dependency on vulnerable passwords and one-time-passcodes and adopt phishing-resistant FIDO Authentication for all websites and applications."
Google, Microsoft and Mozilla have already started implementing the WebAuthn standards in the Windows, Mac, Linux, Chrome OS and Android platforms. The WebAuthn and CTAP specifications are available now, allowing developers and vendors to start building FIDO Authentication support in products and services.