FB pixel

W3C and FIDO Alliance work to eliminate Web passwords

Categories Access Control  |  Biometrics News

The World Wide Web Consortium (W3C) recently announced that it is launching a new standards effort in Web authentication that will offer a more secure and flexible alternative to password-based log-ins on the Web.

W3C’s authentication effort will be based upon FIDO 2.0 Web APIs from the FIDO Alliance, which will enable the use of strong cryptographic operations in place of password exchange.

“Our mission is to revolutionize authentication on the Web through the development and global adoption of technical specifications that supplant the world’s dependency on passwords with interoperable strong authentication,” said Brett McDowell, Executive Director of the FIDO Alliance. “With W3C’s acceptance of the FIDO 2.0 submission, we are well on our way to accomplishing that mission.”

The FIDO 2.0 protocol employs public key cryptography, which relies on users’ devices to generate key pairs during a registration process. The user’s device retains the generated private key and delivers the public key to the service provider. The service provider retains this key and then associates it with a user’s account. When a log-in request is received, the system issues a challenge that must be signed by the private key holder as a response. The protocol accommodates both embedded and external authentication devices, such as smartphones and tablets, that incorporate biometric sensors.

According to W3C, the Web authentication effort will complement prior W3C work on a Web cryptography API, along with on-going work on web application security specifications.

“Our goal is to raise the entire open Web platform to a higher standard of security and to collaborate with industry, academic experts, and other standards organizations to ensure that specific Web security needs are met,” said Dr. Jeff Jaffe, W3C CEO. “We invite broad participation to work together on this top priority to keep the Web as secure as possible today and in the foreseeable future.”

W3C has formed a new Web Authentication Working Group that will focus on authentication work. The working group’s first meeting will take place March 4 in San Francisco, conveniently timed for people attending the RSA USA Conference.

Wendy Seltzer, Technology and Society Domain Lead at W3C, says she expects the new Web authentication work to close an important gap in Web security methods: “We’ve seen much better authentication methods than passwords, yet too many Web sites still use password-based log-ins. Standard Web APIs will make consistent implementations work across the Web ecosystem. The new approach will replace passwords with more secure ways of logging into Web sites, such as using a USB key or activating a smartphone. Strong authentication is useful to any Web application that wants to maintain an ongoing relationship with users.”

Seltzer encourages industry stakeholders to become active in the working group. “The developers and engineers involved in W3C’s efforts to improve Web security are keenly aware of the need to upgrade protocols without breaking the Web that billions of people rely on,” said Seltzer. “We very much encourage those interested in helping W3C to build a more secure Web to get involved.”

Firms in the biometric sector have begun to answer that call. Ramesh Kesanupalli, founder of Nok Nok Labs noted: “The W3C’s new Web Authentication work, based upon the FIDO Alliance submission of FIDO 2.0 Web APIs, is a huge step towards realizing our vision of strong authentication using strong cryptographic operations instead of passwords. The W3C work drives us towards standards-based adoption by major browsers and enables consumers and organizations to achieve both an improved user experience and improved security. As a founder of the FIDO Alliance and one of the organizations to submit the FIDO 2.0 Web API’s to the W3C, it is great to see the submissions move down the standards path.”

Article Topics

 |   |   |   |   |   | 

Latest Biometrics News


UNHCR salutes African govts’ pledge to accelerate digital ID action for forcibly displaced

The Office of the United Nations High Commissioner for Refugees (UNHCR) has lauded the willingness by some African governments to…


Mastercard aims to deliver digital identity, access for 100M in Africa

Mastercard is doubling down on spreading its Community Pass, a digital platform that holds a digital ID and wallet in…


DPI critical to effective digital transformation in government

Robert Opp, chief digital officer of UNDP emphasizes the importance of viewing DPI as the digital equivalent of physical infrastructure,…


Age verification comes to social media as age of unregulated use nears an end

If trends continue, social media is set to follow in the path of cigarettes: an activity benefitting early from lax…


AI can save UK govt £40B annually, revolutionize public services: Blair Institute

AI will soon be used to pre-check applications for correct information, triage cases by calculating complexity and routing them appropriately,…


Papua New Guinea completes national data protection and governance policy

The Ministry of Information and Communications Technology has announced the completion of the national data protection and governance policy, marking…


11 Replies to “W3C and FIDO Alliance work to eliminate Web passwords”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events