The API, which has almost reached formal adoption, provides a vendor-neutral method for organizations to use password-less authentication.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- The aim of adopting passwordless authentication is to inhibit phishing attacks, as well as man-in-the-middle attacks, and attacks that rely on replaying captured network packets.
- Support will come to Firefox and Chrome in May, with support for Microsoft Edge planned in the future.
The W3C and FIDO Alliance—a technology industry consortium—are moving forward with a new API for password-less authentication. The API, called Web Authentication, or WebAuthn, is progressing to the "Candidate Recommendation" stage, as a final call for comments before the standard is formally adopted.
WebAuthn is a common API that allows for the use of biometric-based authentication, as well as smart cards and USB tokens, for authentication, according to the W3C document. Similarly, the newly-announced Client to Authenticator Protocol (CTAP) standard allows for the fingerprint reader of a mobile phone to be used to log in to a web service on a computer.
Support for WebAuthn is planned for inclusion in Firefox 60, which is scheduled for release on May 9th, as well as in Chrome 67, which is planned for late May or early June. Microsoft has committed to support the API in the Edge browser in Windows 10, but no timeline is available for that release. Apple has not provided any indication of support for the standard in Safari, though Apple employees are on the working group for WebAuthn.
SEE: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)
The standardization of WebAuthn is intended to supplant the proprietary implementations used presently by Google and Microsoft for token-based login. The existence of a common standard will ease deployment and interoperability of password-less authentication, as open source code can be imported to existing projects to enable WebAuthn-based authentication in apps.
WebAuthn is an overhaul of the previous "Universal Authentication Factor" (UAF) standard, the document noted, which had some shortcomings relative to the way people use technology—it lacked a clear specification for how to interact with mobile browsers, for example.
The end goal of adopting password-less authentication is to inhibit phishing attacks, as well as man-in-the-middle attacks, and attacks that rely on replaying captured network packets.
The adoption of biometric authentication schemes is not without its own detractors, however. While a password is inherently secret—the idea being that users do not tell others their password, or write it down in a place which can be easily discovered—biometric information is inherently public.
With the launch of Apple's Face ID, for example, concerns that biometric authentication could be used without the consent of the device owner have frequently been aired. According to a report in the Washington Post, while you cannot be compelled to give up a password, courts have ruled in favor of law enforcement in cases where they want a suspect to unlock devices using fingerprints, under the basis of "reasonable suspicion." Furthermore, the forced use of facial identification to unlock devices is legally unclear.
Starting with iOS 11, Apple introduced a failsafe that forces a passcode to be entered if the Home button is pressed 5 times in succession, though Face ID on that platform suffers from various other issues. A Vietnamese security firm successfully defeated the protection last November with a 3D-printed mask, while Wired reports that a 10-year-old was successfully able to unlock both of his parents' iPhones using Face ID.
- The secret to being a great spy agency in the 21st century: Incubating startups (cover story PDF) (TechRepublic)
- Are passwords passé? Raise your palm for biometrics (ZDNet)
- Apple iOS 11: Cheat sheet (TechRepublic)
- Does Face ID make the iPhone X more secure? Depends who's asking (ZDNet)
- How 5G could prevent Stingray-style surveillance and keep business travelers safer (TechRepublic)