W3C and FIDO Alliance work to eliminate Web passwords
The World Wide Web Consortium (W3C) recently announced that it is launching a new standards effort in Web authentication that will offer a more secure and flexible alternative to password-based log-ins on the Web.
“Our mission is to revolutionize authentication on the Web through the development and global adoption of technical specifications that supplant the world’s dependency on passwords with interoperable strong authentication,” said Brett McDowell, Executive Director of the FIDO Alliance. “With W3C’s acceptance of the FIDO 2.0 submission, we are well on our way to accomplishing that mission.”
The FIDO 2.0 protocol employs public key cryptography, which relies on users’ devices to generate key pairs during a registration process. The user’s device retains the generated private key and delivers the public key to the service provider. The service provider retains this key and then associates it with a user’s account. When a log-in request is received, the system issues a challenge that must be signed by the private key holder as a response. The protocol accommodates both embedded and external authentication devices, such as smartphones and tablets, that incorporate biometric sensors.
According to W3C, the Web authentication effort will complement prior W3C work on a Web cryptography API, along with on-going work on web application security specifications.
“Our goal is to raise the entire open Web platform to a higher standard of security and to collaborate with industry, academic experts, and other standards organizations to ensure that specific Web security needs are met,” said Dr. Jeff Jaffe, W3C CEO. “We invite broad participation to work together on this top priority to keep the Web as secure as possible today and in the foreseeable future.”
W3C has formed a new Web Authentication Working Group that will focus on authentication work. The working group’s first meeting will take place March 4 in San Francisco, conveniently timed for people attending the RSA USA Conference.
Wendy Seltzer, Technology and Society Domain Lead at W3C, says she expects the new Web authentication work to close an important gap in Web security methods: “We’ve seen much better authentication methods than passwords, yet too many Web sites still use password-based log-ins. Standard Web APIs will make consistent implementations work across the Web ecosystem. The new approach will replace passwords with more secure ways of logging into Web sites, such as using a USB key or activating a smartphone. Strong authentication is useful to any Web application that wants to maintain an ongoing relationship with users.”
Seltzer encourages industry stakeholders to become active in the working group. “The developers and engineers involved in W3C’s efforts to improve Web security are keenly aware of the need to upgrade protocols without breaking the Web that billions of people rely on,” said Seltzer. “We very much encourage those interested in helping W3C to build a more secure Web to get involved.”
Firms in the biometric sector have begun to answer that call. Ramesh Kesanupalli, founder of Nok Nok Labs noted: “The W3C’s new Web Authentication work, based upon the FIDO Alliance submission of FIDO 2.0 Web APIs, is a huge step towards realizing our vision of strong authentication using strong cryptographic operations instead of passwords. The W3C work drives us towards standards-based adoption by major browsers and enables consumers and organizations to achieve both an improved user experience and improved security. As a founder of the FIDO Alliance and one of the organizations to submit the FIDO 2.0 Web API’s to the W3C, it is great to see the submissions move down the standards path.”