June 9, 2016 -
W3C released its first public working draft of its Web authentication API for accessing scoped credentials in May. The World Wide Web Consortium (W3C) is an international community that develops open standards to ensure the long-term growth of the Web.
The working draft of the W3C Web authentication specification derived from FIDO 2.0 platform specifications, which have officially been published, and are an important step towards making “unphishable” privacy-preserving authentication available on the Web and reducing reliance on passwords.
FIDO 2.0 is an initiative of the FIDO Alliance, whose mission is to change the nature of online authentication by developing technical specifications that define an open, scalable, interoperable set of mechanisms that reduce the reliance on passwords to authenticate users.
The W3C specification defines the FIDO-based API that enables Web pages to access “WebAuthn” compliant strong cryptographic credentials through browser script. Conceptually, one or more credentials are stored on an authenticator, and each credential is scoped to a single “relying party.”
Authenticators are responsible for ensuring that no operation is performed without the user’s consent. The user agent mediates access to credentials in order to preserve user privacy. Authenticators use attestation to provide cryptographic proof of their properties to the relying party. This specification also describes a functional model of a “WebAuthn” compliant authenticator, including its signature and attestation functionality.
Feedback and comments on the specification are welcomed by W3C. Microsoft is actively using the Web authentication specification for Windows Hello.
The Web Authentication API in Microsoft Edge, the company’s Web browser developed for the Windows 10 operating system, enables Web applications to use Windows Hello biometrics for user authentication, so that users can avoid all the hassles and risks of password management, including password guessing, phishing, and keylogging attacks.
The Web Authentication specification defines two authentication scenarios: password-less and two-factor. In the password-less case, the user does not need to log into a Web page using a username or password – they can login solely using Windows Hello. In the two-factor case, the user logs in normally using a username and password, but Windows Hello is used as a second factor check to make the overall authentication stronger.
Using Web Authentication combined with Windows Hello, a Web server sends down a plain text challenge to the browser. Once Microsoft Edge is able to verify the user through Windows Hello, the system will sign the challenge with a private key previously provisioned for this user and send the signature back to the server. If the server can validate the signature using the public key it has for that user and verify the challenge is correct, it can authenticate the user securely. With asymmetric cryptography such as this, the public key is meaningless on its own and the private key is never shared. Furthermore, the private key can never be moved from modern systems with trusted platform module (TPM)-enabled hardware.
The current Microsoft Edge implementation is based on an earlier draft of the Web Authentication specification and is likely to change in the future.