The World Wide Web Consortium (W3C) and FIDO Alliance today announced that a new spec, WebAuthn (“Web Authentication”) had been promoted to the Candidate Recommendation stage, the penultimate stage in the Web standards process.
WebAuthn is a specification to allow browsers to expose hardware authentication devices—USB, Bluetooth, or NFC—to sites on the Web.
With WebAuthn-enabled browsers and sites, users can sign in using both integrated biometric hardware (such as the fingerprint and facial-recognition systems that are widely deployed) and external authentication systems such as the popular YubiKey USB hardware. With WebAuthn, no user credentials ever leave the browser and no passwords are used, providing strong protection against phishing, man-in-the-middle attacks, and replay attacks.
Microsoft, Google, and Mozilla have all committed to supporting WebAuthn. Chrome 67 and Firefox 60, both due for their stable release in May, will both have WebAuthn enabled by default.
WebAuthn builds on a previous FIDO specification called Universal Authentication Factor (UAF). UAF didn’t see much uptake in major browsers, and its specification wasn’t clear on how it should work with mobile browsers. WebAuthn has strong backing from the major browser vendors and is also designed to be more versatile. It is able to handle a wider range of authentication factors, covering not just biometrics and hardware authenticators, but also PINs or even more basic tests that merely verify that a user is present, without any indication of who that user is.
With WebAuthn in place, widespread adoption of passwordless authentication will be much more practical. We’re certainly not going to see the end of the password overnight, but this is the kind of infrastructure that needs to be in place before it can credibly be replaced.