- From: Amy van der Hiel <amy@w3.org>
- Date: Tue, 10 Apr 2018 08:42:37 -0400
- To: w3c-news@w3.org
- Cc: Amy van der Hiel <amy@w3.org>, W3C PR <w3t-pr@w3.org>
Dear Media, Analysts and Friends of W3C,
Today W3C and the FIDO Alliance announce a major standards milestone in the global effort to bring simpler yet stronger web authentication to users around the world.
The W3C has advanced Web Authentication (WebAuthn), a collaborative effort based on Web API specifications submitted by FIDO to the W3C, to the Candidate Recommendation (CR) stage. WebAuthn defines a standard web API that can be incorporated into browsers and related web platform infrastructure which gives users new methods to securely authenticate on the web, in the browser and across sites and devices. The CR is the product of the Web Authentication Working Group, which is comprised of representatives from over 30 member organizations. With support from Google Chrome, Microsoft Edge and Mozilla Firefox, this work opens new era of ubiquitous, phishing-resistant, strong authentication to protect web users worldwide.
For more information, read the press release or text version below:
https://www.w3.org/2018/04/pressrelease-webauthn-fido2.html.en
best,
Amy van der HIel
W3C Media Relations Coordinator
[1]W3C [2] FIDO Alliance For immediate release
[1] https://www.w3.org/
[2] http://www.fidoalliance.org/
FIDO Alliance and W3C Achieve Major Standards Milestone in Global Effort
Towards Simpler, Stronger Authentication on the Web
With support from Google Chrome, Microsoft Edge and Mozilla Firefox,
FIDO2 Project opens new era of ubiquitous, phishing-resistant, strong
authentication to protect web users worldwide
__________________________________________________________
Read [3]testimonials from W3C Members
[4]Translations | [5]W3C Press Release Archive
__________________________________________________________
[4] https://www.w3.org/Press/Releases-2018#webauthn-fido2
[5] https://www.w3.org/Press/
[6]illustration of the authentication with fido2
[6] https://www.w3.org/2018/04/fido2-graphic2.png
[7]https://www.w3.org/ and Mountain View, Calif. — 10 April
2018 — The [8]FIDO Alliance and the [9]World Wide Web
Consortium (W3C) have achieved a major standards milestone in
the global effort to bring simpler yet stronger web
authentication to users around the world. The W3C has advanced
[10]Web Authentication (WebAuthn), a collaborative effort based
on Web API specifications submitted by FIDO to the W3C, to the
Candidate Recommendation (CR) stage. The CR is the product of
the [11]Web Authentication Working Group, which is comprised of
representatives from [12]over 30 member organizations. CR is a
precursor to final approval of a web standard, and the W3C has
invited online services and web app developers to [13]implement
WebAuthn.
[7] https://www.w3.org/
[8] http://www.fidoalliance.org/
[9] https://www.w3.org/
[10] http://www.w3.org/TR/2018/CR-webauthn-20180320/
[11] https://www.w3.org/webauthn/
[12] https://www.w3.org/2000/09/dbwg/details?group=87227&order=org&public=1
[13] https://www.w3.org/blog/news/archives/6921
WebAuthn defines a standard web API that can be incorporated
into browsers and related web platform infrastructure which
gives users new methods to securely authenticate on the web, in
the browser and across sites and devices. WebAuthn has been
developed in coordination with FIDO Alliance and is a core
component of the [14]FIDO2 Project along with FIDO’s [15]Client
to Authenticator Protocol (CTAP) specification. CTAP enables an
external authenticator, such as a security key or a mobile
phone, to communicate strong authentication credentials locally
over USB, Bluetooth or NFC to the user's internet access device
(PC or mobile phone). The FIDO2 specifications collectively
enable users to authenticate easily to online services with
desktop or mobile devices with phishing-resistant security.
[14] https://fidoalliance.org/fido2
[15] https://fidoalliance.org/download/
"With the new FIDO2 specifications and leading web browser
support announced today, we are taking a big step forward
towards making FIDO Authentication ubiquitous across all
platforms and devices," said Brett McDowell, executive director
of the FIDO Alliance. "After years of increasingly severe data
breaches and password credential theft, now is the time for
service providers to end their dependency on vulnerable
passwords and one-time-passcodes and adopt phishing-resistant
FIDO Authentication for all websites and applications."
Google, Microsoft, and Mozilla have committed to supporting the
WebAuthn standard in their flagship browsers and have started
implementation for Windows, Mac, Linux, Chrome OS and Android
platforms. Both the [16]WebAuthn and [17]CTAP specifications
are available today, enabling developers and vendors to get a
jumpstart on building support for the next generation of FIDO
Authentication into their products and services.
[16] http://www.w3.org/TR/2018/CR-webauthn-20180320/
[17] https://fidoalliance.org/download/
"Security on the web has long been a problem which has
interfered with the many positive contributions the web makes
to society. While there are many web security problems and we
can't fix them all, relying on passwords is one of the weakest
links. With WebAuthn's multi-factor solutions we are
eliminating this weak link," stated W3C CEO Jeff Jaffe.
"WebAuthn will change the way that people access the Web."
The completion of the FIDO2 standardization efforts, promotion
of WebAuthn along the W3C standards track, and the commitment
of leading browser vendors to implementation opens a new era of
ubiquitous, hardware-backed FIDO Authentication protection for
everyone using the internet.
Enterprises and online service providers looking to protect
themselves and their customers from the risks associated with
passwords — including phishing, man-in-the-middle attacks and
the abuse of stolen credentials — can soon deploy
standards-based strong authentication that works through the
browser or via an external authenticator. Deploying FIDO
Authentication enables online services to provide choice to
users from an interoperable ecosystem of devices people use
every day like mobile phones and security keys.
The standardization of the new FIDO2 specifications in browsers
and operating systems will further expand the reach of FIDO
Authentication, which is referenced by regulators and
standards-setting bodies worldwide and is already available on
hundreds of millions of devices and offered to more than 3.5
billion user accounts worldwide through services from companies
such as Google, Facebook, NTT DOCOMO, Bank of America and many
more. The new specifications complement existing passwordless
FIDO UAF and second-factor FIDO U2F use cases, and expand the
availability of FIDO Authentication. FIDO2 web browsers and
online services are fully backwards compatible with all
previously certified FIDO Security Keys.
FIDO will soon launch interoperability testing and will issue
certifications for servers, clients and authenticators adhering
to FIDO2 specifications. The conformance test tools are
available on FIDO’s [18]website. Additionally, FIDO will
introduce a new Universal Server certification for servers that
interoperate with all FIDO authenticator types (FIDO UAF, FIDO
U2F, WebAuthn, CTAP).
[18] https://fidoalliance.org/test-tool-access-request/
WebAuthn and FIDO2 Project Benefits
W3C’s WebAuthn API, a standard web API that can be incorporated
into browsers and related web platform infrastructure, enables
strong, unique, public key-based credentials for each site,
eliminating the risk that a password stolen from one site can
be used on another. A web application running in a browser
loaded on a device with a FIDO Authenticator can easily call to
a public API to enable simpler, stronger FIDO Authentication of
users with cryptographic operations in place of, or in addition
to password exchange, delivering many advantages to service
providers and users alike:
* Simpler authentication: users simply log in with a single
gesture using:
+ Internal or built-in authenticators (such as
fingerprint or facial biometrics) in PCs, laptops
and/or mobile devices
+ Convenient external authenticators, such as security
keys and mobile devices, for device-to-device
authentication using CTAP, a protocol for external
authenticators developed by the FIDO Alliance that
complements WebAuthn
* Stronger authentication: FIDO Authentication is much
stronger than relying only on passwords and related forms
of authentication, and has these advantages:
+ User credentials and biometric templates never leave
the user’s device and are never stored on servers
+ Accounts are protected from phishing,
man-in-the-middle and replay attacks that use stolen
passwords
* Developers can get started on creating apps and services
that leverage FIDO Authentication on FIDO’s new
[19]developer resources page.
[19] https://fidoalliance.org/participate/developers/
About the FIDO Alliance
The FIDO (Fast IDentity Online) Alliance,
[20]www.fidoalliance.org, was formed in July 2012 to address
the lack of interoperability among [21]strong authentication
technologies, and remedy the problems users face with creating
and remembering multiple usernames and passwords. The FIDO
Alliance is changing the nature of authentication with
standards for simpler, stronger authentication that define an
open, scalable, interoperable set of mechanisms that reduce
reliance on passwords. FIDO authentication is stronger,
private, and easier to use when authenticating to online
services.
[20] https://www.fidoalliance.org/
[21] https://www.fidoalliance.org/specifications/
About the World Wide Web Consortium
The mission of the World Wide Web Consortium (W3C),
[22]www.w3.org, is to lead the Web to its full potential by
creating technical standards and guidelines to ensure that the
Web remains open, accessible, and interoperable for everyone
around the globe. W3C develops well known specifications such
as HTML5, CSS, and the Open Web Platform as well as work on
security and privacy, all created in the open and provided for
free and under the unique W3C Patent Policy. For its work to
make online videos more accessible with captions and subtitles,
W3C received a 2016 Emmy Award.
[22] https://www.w3.org/
W3C's vision for "One Web" brings together thousands of
dedicated technologists representing more than 400 [23]Member
organizations and dozens of industry sectors. W3C is jointly
hosted by the [24]MIT Computer Science and Artificial
Intelligence Laboratory (MIT CSAIL) in the United States, the
[25]European Research Consortium for Informatics and
Mathematics (ERCIM) headquartered in France, [26]Keio
University in Japan and [27]Beihang University in China. For
more information see [28]https://www.w3.org/.
[23] https://www.w3.org/Consortium/Member/List
[24] https://www.csail.mit.edu/
[25] https://www.ercim.eu/
[26] https://www.keio.ac.jp/
[27] http://ev.buaa.edu.cn/
[28] https://www.w3.org/
End Press Release
FIDO Alliance PR Contacts
Mike Smith or Adrian Loth, Montner Tech PR
<[29]fidopr@montner.com>
mailto:fidopr@montner.com
+1.203.226.9290 (US, Eastern Time)
W3C PR Contact
Amy van der Hiel, W3C Media Relations Coordinator
<[30]w3t-pr@w3.org>
mailto:w3t-pr@w3.org
+1.617.253.5628 (US, Eastern Time)
__________________________________________________________
Testimonials from W3C members
-
[31]Google Inc. • [32]Microsoft Corp. • [33]Mozilla
Google Inc.
"Google Chrome is dedicated to building a better web, and
allowing developers to interact with secure keystores in a
structured way helps us continue this mission. As a founding
member of the U2F and FIDO2 working groups within FIDO,
we’re excited for the launch of these standards and look
forward to our continued collaboration."
Sam Srinivas, Management Director, Google Cloud Security
Product
Microsoft
"Providing a password alternative that works across devices,
apps, browsers, and websites delivers on our commitment to a
future without passwords. We are excited to announce that we
will add support for WebAuthn API, currently in the approval
process stage, and W3C, in Microsoft Edge thanks to our work
with the FIDO Alliance."
Dave Bossio, Group Program Manager, Operating System
Security, Microsoft
Mozilla
"With Web Authentication, we’re giving people using Firefox
the opportunity to add another layer of security to their
browsing experience. Giving people greater control over how
they manage their security online and making the internet
safer is central to Mozilla’s mission to keep the web open
and accessible to all."
Selena Deckelmann, Senior Director of Engineering, Firefox
Runtime, Mozilla
__________________________________________________________
[34]Translations | [35]W3C Press Release Archive
[34] https://www.w3.org/Press/Releases-2018#webauthn-fido2
[35] https://www.w3.org/Press/
Received on Tuesday, 10 April 2018 12:42:51 UTC