“Sites that previously used password and username combinations to let users access online services can take advantage of technologies that physically validate the user’s identity, rather than relying on credentials that could possibly be stolen.”
The FIDO Alliance and the World Wide Web Consortium (W3C) have launched a new authentication standard that will bring biometric and hardware key security to the world’s leading web browsers.
Called WebAuthn, the standard lets web browsers authenticate users via fingerprint scan, facial recognition, or a hardware key device such as Yubico’s YubiKeys. The latter are small, thumb-drive-like devices designed to be plugged into a user’s USB port; during authentication, the user taps an embedded button to prove that they are physically present at the computer communicating with a given site. Fingerprint scanners, meanwhile, are increasingly finding their way into laptop and PC devices, and are of course on all kinds of smartphones; while facial recognition can be leveraged through a standard web camera or smartphone camera to enable biometric user authentication.
Thus, by supporting these mechanisms, the WebAuthn standard allows for significantly improved authentication security through a web browser. Sites that previously used password and username combinations to let users access online services can take advantage of technologies that physically validate the user’s identity, rather than relying on credentials that could possibly be stolen. That means greater security for the end user, with FIDO ensuring that these biometric and hardware key credentials are encrypted for each site to offer additional security. But it also offers more convenience, since biometric and hardware key authentication mechanisms can be faster than password-based login, and users will no longer need to remember an overwhelming array of passwords for various web services.
The WebAuthn specifications are now available for developers, and the W3C, which is the primary international standards organization for the web, has advanced the standard to ‘Candidate Recommendation’ status. That means the specifications have been thoroughly reviewed and deemed to meet the W3C’s technical requirements, and are now ready to be implemented so that the standards body can collect further data before it officially endorses the standard.
Meanwhile, Microsoft, Mozilla, and Google have all committed to supporting WebAuthn in their Edge, Firefox, and Chrome browsers, with the last being the world’s most popular web browser. And Mozilla, for its part, has in fact already enabled WebAuthn functionality, while in a statement FIDO and the W3C said that the Chrome and Edge browsers will enable their support “over the next few months.”
The launch of WebAuthn is a development poised to dramatically increase the reach of FIDO standards, which are already being used in a wide range of products and services to ensure strong authentication as well as interoperability. FIDO says that it will soon issue certifications for server and clients that adhere to these specifications, and that it’s also launched a new certification program called ‘Universal Server’ for servers that can work with all kinds of FIDO authentication standards including WebAuthn.
Ultimately, this is really good news for end users. Biometric authentication has been widely embraced on mobile devices, and many security-conscious users have taken advantage of hardware keys to access the online services that support them; now, allowing users to leverage this kind of security directly through the browser could significantly improve security for hundreds of millions of users around the world, while also making the authentication process with various sites easier and faster.