- From: Amy van der Hiel <amy@w3.org>
- Date: Mon, 4 Mar 2019 08:01:12 -0500
- To: w3c-news@w3.org
- Cc: Amy van der Hiel <amy@w3.org>, W3C Comm Team <w3t-comm@w3.org>
Dear friends of W3C,
Today W3C and FIDO Alliance are pleased to announce that the Web Authentication (WebAuthn) specification is now an official web standard. This advancement is a major step forward in making the web more secure— and usable—for users around the world.
WebAuthn is a user-friendly solution to password theft, phishing and replay attacks.
W3C's WebAuthn Recommendation, a core component of the FIDO Alliance's FIDO2 set of specifications, is a browser/platform standard for simpler and stronger authentication. WebAuthn allows users to log into their internet accounts using their preferred device. Major browsers and platforms now have built-in support for new Web standard for easy and secure logins via biometrics, mobile devices and FIDO security keys.
Web services and apps can — and should—turn on this functionality to give their users the option to log in more easily via biometrics, mobile devices and/or FIDO security keys, and with much higher security over passwords alone. "Now is the time for web services and businesses to adopt WebAuthn to move beyond vulnerable passwords and help web users improve the security of their online experiences,” notes Jeff Jaffe, W3C CEO.
For more information, please see the press release here (and text version below).
Please feel free to contact me to learn more or to schedule an interview.
best,
Amy van der Hiel
W3C Media Relations Coordinator
===========================================================
[1]W3C [2] FIDO Alliance For immediate release
[1] https://www.w3.org/
[2] http://www.fidoalliance.org/
W3C and FIDO Alliance Finalize Web Standard for Secure, Passwordless
Logins
Major browsers and platforms have built-in support for new Web standard
for easy and secure logins via biometrics, mobile devices and FIDO
security keys
__________________________________________________________
Read [3]testimonials from W3C Members
[4]Translations | [5]W3C Press Release Archive
__________________________________________________________
[4] https://www.w3.org/Press/Releases-2019#webauthn-rec
[5] https://www.w3.org/Press/
[6]https://www.w3.org/, and MOUNTAIN VIEW, Calif., — 4 March
2019 — The [7]World Wide Web Consortium (W3C) and the [8]FIDO
Alliance today announced the Web Authentication (WebAuthn)
specification is now an official web standard. This advancement
is a major step forward in making the web more secure— and
usable—for users around the world.
[6] https://www.w3.org/
[7] https://www.w3.org/
[8] http://fidoalliance.org/
W3C's [9]WebAuthn Recommendation, a core component of the FIDO
Alliance's [10]FIDO2 set of specifications [11](1), is a
browser/platform standard for simpler and stronger
authentication. It is already supported in [12]Windows 10,
Android, and [13]Chrome, [14]Firefox, [15]Edge and [16]Safari
Web browsers. WebAuthn allows users to log into their internet
accounts using their preferred device. Web services and apps
can — and should—turn on this functionality to give their users
the option to log in more easily via biometrics, mobile devices
and/or FIDO security keys, and with much higher security over
passwords alone.
[9] https://www.w3.org/TR/2019/REC-webauthn-1-20190304/
[10] https://fidoalliance.org/fido2/
[12] https://www.microsoft.com/en-us/microsoft-365/blog/2018/11/20/sign-in-to-your-microsoft-account-without-a-password-using-windows-hello-or-a-security-key/
[13] https://blog.chromium.org/2018/09/chrome-70-beta-shape-detection-web.html
[14] https://blog.mozilla.org/blog/2018/05/09/firefox-gets-down-to-business-and-its-personal/
[15] https://blogs.windows.com/msedgedev/2018/07/30/introducing-web-authentication-microsoft-edge/
[16] https://webkit.org/blog/8517/release-notes-for-safari-technology-preview-71/
“Now is the time for web services and businesses to adopt
WebAuthn to move beyond vulnerable passwords and help web users
improve the security of their online experiences,” said Jeff
Jaffe, W3C CEO. “W3C's Recommendation establishes web-wide
interoperability guidance, setting consistent expectations for
web users and the sites they visit. W3C is working to implement
this best practice on its own site.”
A user-friendly solution to password theft, phishing and replay
attacks
It's common knowledge that passwords have outlived their
efficacy. Not only are stolen, weak or default passwords behind
[17]81 percent of data breaches, they are a drain of time and
resources. According to a [18]recent Yubico study, users spend
10.9 hours per year entering and/or resetting passwords, which
costs companies an average of $5.2 million annually. While
traditional multi-factor authentication (MFA) solutions like
SMS one-time codes add another layer of security, they are
still [19]vulnerable to phishing attacks, aren’t simple to use
and suffer from low opt-in rates.
[17] https://www.knowbe4.com/hubfs/rp_DBIR_2017_Report_execsummary_en_xg.pdf
[18] https://www.yubico.com/press-releases/yubicos-2019-state-of-password-and-authentication-security-behaviors-report/
[19] https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication/
With FIDO2 and WebAuthn, the global technology community has
come together to provide a shared solution to the shared
password problem. FIDO2 addresses all of the issues with
traditional authentication:
* Security: FIDO2 cryptographic login credentials are unique
across every website, biometrics or other secrets like
passwords never leave the user’s device and are never
stored on a server. This security model eliminates the
risks of phishing, all forms of password theft and replay
attacks.
* Convenience: Users log in with convenient methods such as
fingerprint readers, cameras, FIDO security keys, or their
personal mobile device.
* Privacy: Because FIDO keys are unique for each Internet
site, they cannot be used to track you across sites.
* Scalability: websites can enable FIDO2 via simple API call
across all supported browsers and platforms on billions of
devices consumers use every day.
“Web Authentication as an official web standard is the pinnacle
of many years of industry collaboration to develop a practical
solution for stronger authentication on the web,” said Brett
McDowell, executive director of the FIDO Alliance. “With this
milestone, we're moving into a new era of ubiquitous,
hardware-backed FIDO Authentication protection for everyone
using the internet.”
Getting started
For services providers and vendors ready to get started with
FIDO2 specifications and browser/platform support, the FIDO
Alliance has provided testing tools and launched a
[20]certification program. Currently, there are many FIDO2
Certified solutions available to support a wide variety of use
cases, including FIDO Certified Universal Servers that support
FIDO2 and all prior UAF and U2F devices for full backward
compatibility with the full range of certified FIDO
authenticators.
[20] https://fidoalliance.org/certification/
Visit the FIDO Alliance website for more information on
[21]FIDO2, including resources for [22]developers and product
vendors interested in taking part in the [23]FIDO Certified
program.
[21] https://fidoalliance.org/fido2/
[22] https://fidoalliance.org/participate/developers/
[23] https://fidoalliance.org/certification/
(1) FIDO2 is comprised of the W3C’s Web Authentication
specification (WebAuthn) and FIDO Alliance’s corresponding
Client-to-Authenticator Protocol (CTAP).
About the FIDO Alliance
The FIDO (Fast IDentity Online) Alliance,
[24]www.fidoalliance.org, was formed in July 2012 to address
the lack of interoperability among [25]strong authentication
technologies, and remedy the problems users face with creating
and remembering multiple usernames and passwords. The FIDO
Alliance is changing the nature of authentication with
standards for simpler, stronger authentication that define an
open, scalable, interoperable set of mechanisms that reduce
reliance on passwords. FIDO authentication is stronger,
private, and easier to use when authenticating to online
services.
[24] https://www.fidoalliance.org/
[25] https://www.fidoalliance.org/specifications/
About the World Wide Web Consortium
The mission of the World Wide Web Consortium (W3C) is to lead
the Web to its full potential by creating technical standards
and guidelines to ensure that the Web remains open, accessible,
and interoperable for everyone around the globe. W3C develops
well known specifications such as HTML5, CSS, and the Open Web
Platform as well as work on security and privacy, all created
in the open and provided for free and under the unique W3C
Patent Policy. For its work to make online videos more
accessible with captions and subtitles, W3C received a 2016
Emmy Award.
W3C's vision for "One Web" brings together thousands of
dedicated technologists representing more than 400 [26]Member
organizations and dozens of industry sectors. W3C is jointly
hosted by the [27]MIT Computer Science and Artificial
Intelligence Laboratory (MIT CSAIL) in the United States, the
[28]European Research Consortium for Informatics and
Mathematics (ERCIM) headquartered in France, [29]Keio
University in Japan and [30]Beihang University in China. For
more information see [31]https://www.w3.org/.
[26] https://www.w3.org/Consortium/Member/List
[27] https://www.csail.mit.edu/
[28] https://www.ercim.eu/
[29] https://www.keio.ac.jp/
[30] http://ev.buaa.edu.cn/
[31] https://www.w3.org/
End Press Release
FIDO Alliance PR Contacts
Megan Shamas, Montner Tech PR, +1.203.226.9290
<[32]press@fidoalliance.org>
[32] mailto:press@fidoalliance.org
W3C Media Contact
Amy van der Hiel, W3C Media Relations Coordinator
<[33]w3t-pr@w3.org>
mailto:w3t-pr@w3.org
+1.617.253.5628 (US, Eastern Time)
__________________________________________________________
Testimonials from W3C members
-
[34]Duo Security, a Cisco business unit • [35]Google •
[36]Microsoft Corporation • [37]Mozilla Foundation• [38]Nok Nok
Labs • [39]Yubico
Duo Security, a Cisco business unit
"The WebAuthn specification is a major and collaborative
leap forward in the evolution of simpler, stronger user
authentication. As pioneers in the authentication space, Duo
Security knows that for security to be effective, it has to
be easy. WebAuthn’s security and privacy protections,
built-in phishing resistance and ease-of-use give it the
potential to drive widespread adoption across enterprise and
consumer markets, making everyone safer as a result. True
passwordless authentication has been sought for a long time
- today, we’re closer to realizing that goal with WebAuthn."
James Barclay, Senior R&D Engineer, Duo Security, a Cisco
business unit
Google
"The fact that users get phished is not really their
failing. It was a gap in the internet infrastructure that
made them vulnerable. With today’s announcement, the
internet community is closing that gap. The internet
infrastructure now has the tools to provide user friendly
phishing-resistant authentication at scale. Google has been
part of this journey since the earliest days, we introduced
[40]Security Key based authentication in 2014, the
[41]Advanced Protection Program in 2017, and the [42]Titan
Security Key in 2018. Now with W3C WebAuthn and FIDO2 client
support coming across all major client platforms an expanded
set of capabilities is enabled. We look forward to
leveraging these to offer our users additional new intuitive
login experiences that are phishing-resistant."
[40] https://support.google.com/accounts/answer/6103523
[41] https://landing.google.com/advancedprotection/
[42] https://cloud.google.com/titan-security-key/
Sam Srinivas, Product Management Director, Google and
President, FIDO Alliance
Microsoft Corporation
"Our work with W3C and FIDO Alliance, and contributions to
FIDO2 standards have been a critical piece of Microsoft’s
commitment to a world without passwords, which started in
2015. Today, Windows 10 with Microsoft Edge fully supports
the WebAuthn standard and millions of users can log in to
their Microsoft account without using a password."
Alex Simons, Corporate Vice President, Program Management,
Microsoft Identity Division
Mozilla Foundation
"Out of all multi-factor authentication solutions I know of,
Web Authentication is our best technical response to the
scourge of phishing. Protecting individuals' privacy and
security is fundamental to Mozilla, and Web Authentication
plays a key role in that protection. Mozilla supports the
advancement of Web Authentication, and its end-goal of a
phishing-free future for all the Web."
J.C. Jones, Cryptography Engineer, Mozilla
Nok Nok Labs
"Providing an alternative to phishable and inconvenient
passwords that works across devices, apps, browsers, and
websites has been the mission of Nok Nok Labs since our
inception. The Web Authentication API is an important step
towards the goal of enabling simple and strong
authentication on the devices we use in our daily lives. It
is imperative that the industry as a whole continues to add
support for FIDO Authentication into all platforms to better
protect consumers in our digital world."
Rolf Lindemann, Sr. Director of Products at Nok Nok Labs
Yubico
"Today's standardization of W3C's WebAuthn marks a milestone
in the history of open authentication standards and internet
security. Together, we achieved the near-impossible: the
creation of a global standard supported by all platforms and
browsers. Yubico is grateful to be a part of this journey
and we look forward to the possibilities this is going to
open for seamless, ubiquitous security for all internet
users."
Stina Ehrensvard, CEO and Founder, Yubico
__________________________________________________________
[43]Translations | [44]W3C Press Release Archive
[43] https://www.w3.org/Press/Releases-2019#webauthn-rec
[44] https://www.w3.org/Press/
Received on Monday, 4 March 2019 13:01:18 UTC