A Web standards milestone announced Tuesday could point to the end of the road for pesky passwords.
The new standard, WebAuthn, has won near-final approval from the World Wide Web Consortium, which establishes Web standards.
WebAuthn defines a standard Application Program Interface that can be incorporated into browsers and Web infrastructure. It opens the door for new ways for users to authenticate themselves on the Internet that are more secure and convenient than passwords.
“Security on the Web has long been a problem which has interfered with the many positive contributions the Web makes to society,” said W3C CEO Jeff Jaffe.
“While there are many Web security problems and we can’t fix them all, relying on passwords is one of the weakest links,” he continued. “With WebAuthn’s multifactor solutions, we are eliminating this weak link.”
Tech Heavyweight Support
The new standard seems to be poised for rapid growth. Google, Microsoft and Mozilla already have committed to supporting WebAuthn in their browsers. Developers have begun to implement the standard for Windows, Mac, Linux, Chrome OS and Android.
“We expect browser and OS vendors will be out in the second half of this year,” said Rajiv Dholakia, vice president for products at Nok Nok Labs.
“Uniform support will take about 12 months,” he told TechNewsWorld, “but we already know people running internal proofs of concept with the goal of bringing something to market as early as late in the second quarter or early third quarter.”
Implementing WebAuthn should not be difficult for organizations, noted Michael Thelander, senior director of product at Iovation.
“There are new concepts involved, but not radically new security thinking,” he told TechNewsWorld.
“The larger problem will be getting time and attention — especially in large organizations using this for customer-facing authentication — from the other stakeholder groups involved,” Thelander said.
“Compliance, user experience, product management and operations will all have a say and need some time,” he added.
Keeping Secrets Secret
WebAuthn, which is based on a specification written by the FIDO Alliance, can make the Internet more secure for consumers.
“There are many attacks that user names and passwords are vulnerable to that FIDO is not,” observed Brett McDowell, executive director of the FIDO Alliance.
For example, FIDO is resistant to phishing attacks and data breaches, two of the most common threats to consumers and other users of the Internet.
“FIDO is based on public key cryptography,” McDowell told TechNewsWorld.
“You don’t have to give away a credential secret — like a password — to authenticate your identity,” he explained. “When a website authenticates me using FIDO, it’s not asking me for my secret. That means I can’t be tricked by someone else to give away my secret.”
Using public-key encryption for authentication has another advantage, according to Bob Crowe, a senior vice president of engineering at EdgeWave.
“WebAuthn incorporates cryptographic logic which allows for various sources of stronger authentication including biometrics — think FaceID — and external authenticators, such as device to device,” he told TechNewsWorld.
That makes the scheme more convenient, too. “All I have to do is look at my camera, touch my fingerprint sensor, or touch a button on a security key,” McDowell said.
WebAuthn reflects a promising trend, said Travis Biehn, a technical strategist at Synopsys.
The mobile arena has made great strides in security, he noted, with things like mutual application isolation, meaningful capabilities-based permissions models, cryptographic integrity of application bundles, secure distribution and update of application bundles, and usable key storage facilities.
“The Web has not made any significant progress on those fronts,” Biehn told TechNewsWorld, “so WebAuthn looks like a step in the right direction.”
The Big Challenge
FIDO’s WebAuthn will have to surmount a big challenge if it’s going to gain widespread acceptance, maintained Iovation’s Thelander.
“There are already some authentication technologies that are more FIDO than FIDO. They already deliver the benefits of FIDO without having gone through the cost and time of FIDO compliance,” he said.
“The biggest challenge is that great work is already being done in this field, and in some cases new standards need to play catch-up,” Thelander added.
Also, don’t count out the resilience of passwords.
“Look for a long tail of user name/password usage that will last for many years beyond the first rollout of FIDO-compliant sites,” Thelander predicted, “unless there’s such an improved user experience that online business can map an immediate ROI to the new authentication experience — more time on site, quicker logins, more frequent visits, more consumer confidence.”