W3C Announces New Work Toward a More Secure Web from Karen Myers on 2016-02-17 (w3c-news@w3.org from January to March 2016)

From: Karen Myers <karen@w3.org>
Date: Wed, 17 Feb 2016 08:40:29 -0500
To: "w3c-news@w3.org" <w3c-news@w3.org>
Cc: "w3t-pr@w3.org Office" <w3t-pr@w3.org>
Message-Id: <8473C20A-17F0-4EFF-9BFD-4936D5CDCEE1@w3.org>
Dear Media, Analysts and Friends of W3C,

Today W3C has announced the launch of the Web Authentication Working Group, whose goal is to develop standards using strong cryptographic operations in place of password exchange. This approach offers a more secure and flexible alternative to password-based log-ins on the Web, often seen as being annoying to use and offering weak protection.  

The W3C's Web Authentication technical work is being accelerated thanks to a W3C member submission of FIDO 2.0 Web APIs from members of the FIDO Alliance. The submitted APIs are intended to ensure standards-based strong authentication across all Web browsers and related Web platform infrastructure.

Here is the link to the English version of the press release:  https://www.w3.org/2016/02/securewebauthwg.html.en
Text version is copied below. [1]

For media and analysts, we invite interviews with W3C staff regarding the importance of this new work that will help to make the Web more secure. Please contact: w3t-pr@w3.org to schedule an interview. 
 
Kind regards,


Karen Myers
W3C Communications
Mobile: 1.978.502.6218


[1]W3C For Immediate Release

      [1] http://www.w3.org/

           W3C Accelerates Efforts To Build a More Secure Web

Launches Web Authentication work based on FIDO Alliance specifications
for more secure and flexible alternative to password log-ins on the Web
     __________________________________________________________

   Read [2]testimonials from W3C Members

   [3]Translations | [4]W3C Press Release Archive
     __________________________________________________________

      [3] https://www.w3.org/Press/Releases-2016#securewebauthwg
      [4] https://www.w3.org/Press/

   [5]http://www.w3.org/ — 17 February, 2016 — Recognizing the
   critical role of strong authentication in securing the Web
   experience for everyone, the World Wide Web Consortium (W3C)
   announced today that it is launching a new standards effort in
   [6]Web Authentication that will offer a more secure and
   flexible alternative to password-based log-ins on the Web.
   For many Web users, passwords are annoying to use and offer
   weak protection for their interactions – they're too often
   forgotten or set to weak, and easily-guessed combinations.
   Even strong passwords can be lost in data breaches or targeted
   for replay in phishing attacks. W3C's new Web Authentication
   work, based upon the member submission of FIDO 2.0 Web APIs
   from the FIDO Alliance, will enable the use of strong
   cryptographic operations in place of password exchange.
   "When strong authentication is easy to deploy, we make the Web
   safer for daily use, personal and commercial," said Sir Tim
   Berners-Lee, Web Inventor and W3C Director. "With the scope and
   frequency of attacks increasing, it is imperative for W3C to
   develop new standards and best practices for increased security
   on the Web."

      [5] https://www.w3.org/
      [6] https://www.w3.org/2015/12/web-authentication-charter.html

Web Authentication Complements Current W3C Web Security Activities

   According to W3C CEO Dr. Jeff Jaffe, the Web Authentication
   effort will complement prior W3C work on a Web Cryptography
   API, currently in [7]Candidate Recommendation status, and
   on-going work on [8]Web Application Security specifications.
   The WebCrypto API provides a Javascript API to a standard suite
   of cryptographic operations across browsers. Work in WebAppSec
   includes improvements to the HTTPS experience and updates to
   Content Security Policy (CSP), enabling application authors to
   set policy for what active content is permitted to run on their
   sites, protecting them against injection of unwanted or
   malicious code.

      [7] http://www.w3.org/TR/WebCryptoAPI/
      [8] http://www.w3.org/2011/webappsec/

   "Our goal is to raise the entire Open Web Platform to a higher
   standard of security and to collaborate with industry, academic
   experts, and other standards organizations to ensure that
   specific Web security needs are met," Jaffe said. "We invite
   broad participation to work together on this top priority to
   keep the Web as secure as possible today and in the foreseeable
   future."
   Wendy Seltzer, Technology and Society Domain Lead, says she
   expects the new Web Authentication work to close an important
   gap in the Web platform. "We've seen much better authentication
   methods than passwords, yet too many Web sites still use
   password-based log-ins. Standard Web APIs will make consistent
   implementations work across the Web ecosystem. The new approach
   will replace passwords with more secure ways of logging into
   Web sites, such as using a USB key or activating a smartphone.
   Strong authentication is useful to any Web application that
   wants to maintain an ongoing relationship with users," Seltzer
   commented.

FIDO 2.0 Web APIs to Jumpstart Web Authentication Work

   The W3C's Web Authentication technical work is being
   accelerated thanks to a [9]W3C member submission of FIDO 2.0
   Web APIs from members of the [10]FIDO Alliance. The submitted
   APIs are intended to ensure standards-based strong
   authentication across all Web browsers and related Web platform
   infrastructure.

      [9] https://www.w3.org/blog/2015/11/w3c-fido/
     [10] https://fidoalliance.org/

   "Our mission is to revolutionize authentication on the Web
   through the development and global adoption of technical
   specifications that supplant the world's dependency on
   passwords with interoperable strong authentication," said Brett
   McDowell, executive director of the FIDO Alliance.  "With W3C's
   acceptance of the FIDO 2.0 submission, and the chartering of
   this new Web Authentication Working Group, we are well on our
   way to accomplishing that mission."

   The new Web Authentication Working Group's first meeting will
   take place 4 March 2016 in San Francisco, conveniently timed
   for people who are also attending the RSA USA Conference. All
   W3C standards activities take place in [11]Working Groups that
   are open to participation by W3C members and provide public
   mailing lists and repositories for public comment.

     [11] http://www.w3.org/Consortium/activities

   "The developers and engineers involved in W3C’s efforts to
   improve Web security are keenly aware of the need to upgrade
   protocols without breaking the Web that billions of people rely
   on," said Seltzer.  "We very much encourage those interested in
   helping W3C to build a more secure Web to get involved."

About the World Wide Web Consortium

   The World Wide Web Consortium (W3C) is an international
   consortium where Member organizations, a full-time staff, and
   the public work together to develop Web standards. W3C
   primarily pursues its mission through the creation of Web
   standards and guidelines designed to ensure long-term growth
   and stewardship for the Web. Over 400 organizations are
   [12]Members of the Consortium.

     [12] https://www.w3.org/Consortium/Member/List

   W3C is jointly run by the [13]MIT Computer Science and
   Artificial Intelligence Laboratory (MIT CSAIL) in the United
   States, the [14]European Research Consortium for Informatics
   and Mathematics (ERCIM) headquartered in France, [15]Keio
   University in Japan and [16]Beihang University in China. W3C
   has Offices in Australia; the Benelux countries; Brazil;
   Finland; France; Germany and Austria; Greece; Hungary; India;
   Italy; Korea; Morocco; Russia; Southern Africa; Spain; Sweden;
   and the United Kingdom and Ireland. For more information see
   [17]http://www.w3.org/

     [13] http://www.csail.mit.edu/
     [14] http://www.ercim.eu/
     [15] http://www.keio.ac.jp/
     [16] http://ev.buaa.edu.cn/
     [17] http://www.w3.org/

   End Press Release

Media Contact

   Karen Myers, W3C <[18]w3t-pr@w3.org>
   Mobile: 1.978.502.6218

     [18] mailto:w3t-pr@w3.org

Testimonials from W3C members

   [19]Nok Nok Labs

  Nok Nok Labs, Inc.

     The W3C's new Web Authentication work, based upon the FIDO
     Alliance submission of FIDO 2.0 Web APIs, is a huge step
     towards realizing our vision of strong authentication using
     strong cryptographic operations instead of passwords.  The
     W3C work drives us towards standards-based adoption by major
     browsers and enables consumers and organizations to achieve
     both an improved user experience and improved security.  As
     a founder of the FIDO Alliance and one of the organizations
     to submit the FIDO 2.0 Web API’s to the W3C, it is great to
     see the submissions move down the standards path.


    Ramesh Kesanupalli, Nok Nok Labs Founder and FIDO Visionary
     __________________________________________________________

   [20]Translations | [21]W3C Press Release Archive

     [20] https://www.w3.org/Press/Releases-2016#securewebauthwg
     [21] https://www.w3.org/Press/
Received on Wednesday, 17 February 2016 13:40:33 UTC