Time to say goodbye to your passwords
From now on WebAuthn is the official web standard for loginsEuropost
Web Authentication (aka WebAuthn) has been a de facto standard for no-password web sign-ins for almost a year after the most famous browsers (Firefox, Chrome, Edge, Safari) began implementing it. It is also supported by many websites, including Airbnb, Alibaba, Apple, Google, IBM, Intel, Microsoft, Mozilla, PayPal and SoftBank. But now the World Wide Web Consortium and the FIDO Alliance have officially declared it as an official standard for logging into accounts.
This, according to both sides will result in greater security and convenience than typing in your credentials.
“The Web Authentication component of FIDO2 is now an official web standard from W3C, an important achievement that represents many years of industry collaboration to develop a practical solution for phishing-resistant authentication on the web,” FIDO Alliance Executive Director Brett McDowell said in a statement last Monday. “With this milestone, we’re moving into the next phase of our shared mission to deliver simpler, stronger authentication to everyone using the internet today, and for years to come.”
Both sides also expressed hope that WebAuthn will eliminate many problems associated with traditional authentication methods.
“It's common knowledge that passwords have outlived their efficacy. Not only are stolen, weak or default passwords behind 81% of data breaches, they are a drain of time and resources. While traditional multi-factor authentication (MFA) solutions like SMS one-time codes add another layer of security, they are still vulnerable to phishing attacks, aren’t simple to use and suffer from low opt-in rates. With WebAuthn, the global technology community has come together to provide a shared solution to the shared password problem,” they said in a joint statement.
So what does WebAuthn and FIDO2 actually mean? Let's start with WebAuthn - it is short for Web Authentication and is a browser and platform standard for simpler and stronger authentication processes. In case a site supports it, you can get in your account using biometrics (such as fingerprints or facial recognition), USB security keys, or nearby mobile devices like phones and smartwatches. Since it links unique encrypted login details to each website, it makes logins significantly more secure and convenient, than typing in your credentials
FIDO2, on the other hand, is the set of security specifications that WebAuthn is part of and is in short a standard that supports public key cryptography and multifactor authentication — specifically, the Universal Authentication Framework (UAF) and Universal Second Factor (U2F) protocols. FIDO2 cryptographic login credentials are unique across every website; biometrics or other secrets like passwords never leave the user’s device and are never stored on a server. Thus, such security model eliminates the risks of phishing, all forms of password theft and other attacks that watch for your input.
In an era of data breaches and dumps, it is crucial to shift to a new paradigm that doesn’t depend on passwords for using internet services, but without pressing urgency like a specific security threat, many websites will likely take their time incorporating it into their authentication protocols. So don't expect the new standard to be immediately adopted.