W3C brings WebAuthn API for traditional password replacement closer

The W3C has promoted the WebAuthn standard to Candidate Recommendation and is calling for its implementation. The standard should replace traditional passwords and make it possible to authenticate, for example in the browser, with a fingerprint or external device.

The organization reports that companies such as Mozilla, Google and Microsoft are behind the new standard and are implementing it in their browsers. For example, Firefox enables WebAuthn support by default from version 60; Chrome plans to do that in version 67. The status of Safari is unknown, although Apple is part of the related workgroup. The W3C specification, which describes an api, lists a number of different use cases, such as authentication using a registered phone. For example, if a user visits a website on a PC, wants to log in and chooses to do so with his phone, he will receive a notification on his device after which he can go through the authentication process with his fingerprint or a PIN code.

The idea is that authentication is based on public key cryptography, with the keys stored on the authenticator. The specification mentions the possibility that the key is located on the same device as the user agent, for example in the form of a trusted platform module on a laptop or a secure element on a mobile phone. This scenario is also conceivable with other devices, such as a USB authenticator. According to the consortium, the Client to Authenticator Protocol, or Ctap, plays a role in this. That describes the communication via USB, Bluetooth or NFC.

Using WebAuthn should have the advantage over traditional passwords of better protection against phishing, interception through a man-in-the-middle attack and the use of leaked logins by malicious parties.

The current standard is the result of a collaboration between the FIDO Alliance and the W3C. FIDO, which stands for Fast IDentity Online, was founded in 2012 to provide an open, interoperable and scalable set of mechanisms to enable password replacement for online authentication. WebAuthn and Ctap are both part of the FIDO2 project. The original submission to W3C was in 2015, with the alliance building on UAF and U2F, which were completed in 2014.