WebAuthn: The new web standard aims to make passwords obsolete
The new WebAuthn web standard is said to eliminate the risks of phishing, all forms of password theft and replay attacks.
The World Wide Web Consortium (W3C) and the FIDO Alliance on Monday elevated the Web Authentication (WebAuthn) as an official web standard. The move is believed to be a big step towards making the internet safer and more secure for users around the world.
The new web standard paves way for a simpler and stronger authentication, according to the consortium. The Consortium has asked the internet services to enable the web standard to allow users to log in more securely through security keys and even biometrics. The standard is already supported by major platforms including Windows 10, Android, Google Chrome, Mozilla Firefox and Microsoft Edge.
"Not only are stolen, weak or default passwords behind 81% of data breaches, they are a drain of time and resources. According to a recent Yubico study, users spend 10.9 hours per year entering and/or resetting passwords, which costs companies an average of $5.2 million annually. While traditional multi-factor authentication (MFA) solutions like SMS one-time codes add another layer of security, they are still vulnerable to phishing attacks, aren't simple to use and suffer from low opt-in rates," said W3C and FIDO Alliance in a release.
WebAuthn can be implemented as an API which will allow sites to connect with a security device when a user logging into their accounts. The security device could range from a biometric-based device or a simpler USB token. TheVerge reports that WebAuthn is a more secure way of logging into accounts that the weak passwords users have some of their accounts. WebAuthn is also quite flexible allowing users to log into their accounts online using devices they prefer.
"FIDO2 cryptographic login credentials are unique across every website, biometrics or other secrets like passwords never leave the user's device and are never stored on a server. This security model eliminates the risks of phishing, all forms of password theft and replay attacks," said the consortium. "Because FIDO keys are unique for each Internet site, they cannot be used to track you across sites."
FIDO Alliance has released testing tools and launched a certification programme to help service providers get started with the new standard.