Press Release: W3C and FIDO Alliance Finalize Web Standard for Secure, Passwordless Logins

Dear friends of W3C,

Today W3C and FIDO Alliance are pleased to announce that the Web Authentication (WebAuthn) specification is now an official web standard. This advancement is a major step forward in making the web more secure— and usable—for users around the world.

WebAuthn is a user-friendly solution to password theft, phishing and replay attacks. 

W3C's WebAuthn Recommendation, a core component of the FIDO Alliance's FIDO2 set of specifications, is a browser/platform standard for simpler and stronger authentication.  WebAuthn allows users to log into their internet accounts using their preferred device. Major browsers and platforms now have built-in support for new Web standard for easy and secure logins via biometrics, mobile devices and FIDO security keys. 

Web services and apps can — and should—turn on this functionality to give their users the option to log in more easily via biometrics, mobile devices and/or FIDO security keys, and with much higher security over passwords alone.  "Now is the time for web services and businesses to adopt WebAuthn to move beyond vulnerable passwords and help web users improve the security of their online experiences,” notes Jeff Jaffe, W3C CEO.

For more information, please see the press release here (and text version below). 
 
Please feel free to contact me to learn more or to schedule an interview.
 
best,
Amy van der Hiel
W3C Media Relations Coordinator

===========================================================

     [1]W3C  [2] FIDO Alliance For immediate release

      [1] https://www.w3.org/
      [2] http://www.fidoalliance.org/

  W3C and FIDO Alliance Finalize Web Standard for Secure, Passwordless
                                 Logins

Major browsers and platforms have built-in support for new Web standard
for easy and secure logins via biometrics, mobile devices and FIDO
security keys
     __________________________________________________________

   Read [3]testimonials from W3C Members

   [4]Translations | [5]W3C Press Release Archive
     __________________________________________________________

      [4] https://www.w3.org/Press/Releases-2019#webauthn-rec
      [5] https://www.w3.org/Press/

   [6]https://www.w3.org/, and MOUNTAIN VIEW, Calif., — 4 March
   2019 — The [7]World Wide Web Consortium (W3C) and the [8]FIDO
   Alliance today announced the Web Authentication (WebAuthn)
   specification is now an official web standard. This advancement
   is a major step forward in making the web more secure— and
   usable—for users around the world.

      [6] https://www.w3.org/
      [7] https://www.w3.org/
      [8] http://fidoalliance.org/

   W3C's [9]WebAuthn Recommendation, a core component of the FIDO
   Alliance's [10]FIDO2 set of specifications [11](1), is a
   browser/platform standard for simpler and stronger
   authentication. It is already supported in [12]Windows 10,
   Android, and [13]Chrome, [14]Firefox, [15]Edge and [16]Safari
   Web browsers. WebAuthn allows users to log into their internet
   accounts using their preferred device. Web services and apps
   can — and should—turn on this functionality to give their users
   the option to log in more easily via biometrics, mobile devices
   and/or FIDO security keys, and with much higher security over
   passwords alone.

      [9] https://www.w3.org/TR/2019/REC-webauthn-1-20190304/
     [10] https://fidoalliance.org/fido2/
     [12] https://www.microsoft.com/en-us/microsoft-365/blog/2018/11/20/sign-in-to-your-microsoft-account-without-a-password-using-windows-hello-or-a-security-key/
     [13] https://blog.chromium.org/2018/09/chrome-70-beta-shape-detection-web.html
     [14] https://blog.mozilla.org/blog/2018/05/09/firefox-gets-down-to-business-and-its-personal/
     [15] https://blogs.windows.com/msedgedev/2018/07/30/introducing-web-authentication-microsoft-edge/
     [16] https://webkit.org/blog/8517/release-notes-for-safari-technology-preview-71/

   “Now is the time for web services and businesses to adopt
   WebAuthn to move beyond vulnerable passwords and help web users
   improve the security of their online experiences,” said Jeff
   Jaffe, W3C CEO. “W3C's Recommendation establishes web-wide
   interoperability guidance, setting consistent expectations for
   web users and the sites they visit. W3C is working to implement
   this best practice on its own site.”

  A user-friendly solution to password theft, phishing and replay
  attacks

   It's common knowledge that passwords have outlived their
   efficacy. Not only are stolen, weak or default passwords behind
   [17]81 percent of data breaches, they are a drain of time and
   resources. According to a [18]recent Yubico study, users spend
   10.9 hours per year entering and/or resetting passwords, which
   costs companies an average of $5.2 million annually. While
   traditional multi-factor authentication (MFA) solutions like
   SMS one-time codes add another layer of security, they are
   still [19]vulnerable to phishing attacks, aren’t simple to use
   and suffer from low opt-in rates.

     [17] https://www.knowbe4.com/hubfs/rp_DBIR_2017_Report_execsummary_en_xg.pdf
     [18] https://www.yubico.com/press-releases/yubicos-2019-state-of-password-and-authentication-security-behaviors-report/
     [19] https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication/

   With FIDO2 and WebAuthn, the global technology community has
   come together to provide a shared solution to the shared
   password problem. FIDO2 addresses all of the issues with
   traditional authentication:
     * Security: FIDO2 cryptographic login credentials are unique
       across every website, biometrics or other secrets like
       passwords never leave the user’s device and are never
       stored on a server. This security model eliminates the
       risks of phishing, all forms of password theft and replay
       attacks.
     * Convenience: Users log in with convenient methods such as
       fingerprint readers, cameras, FIDO security keys, or their
       personal mobile device.
     * Privacy: Because FIDO keys are unique for each Internet
       site, they cannot be used to track you across sites.
     * Scalability: websites can enable FIDO2 via simple API call
       across all supported browsers and platforms on billions of
       devices consumers use every day.

   “Web Authentication as an official web standard is the pinnacle
   of many years of industry collaboration to develop a practical
   solution for stronger authentication on the web,” said Brett
   McDowell, executive director of the FIDO Alliance. “With this
   milestone, we're moving into a new era of ubiquitous,
   hardware-backed FIDO Authentication protection for everyone
   using the internet.”

  Getting started

   For services providers and vendors ready to get started with
   FIDO2 specifications and browser/platform support, the FIDO
   Alliance has provided testing tools and launched a
   [20]certification program. Currently, there are many FIDO2
   Certified solutions available to support a wide variety of use
   cases, including FIDO Certified Universal Servers that support
   FIDO2 and all prior UAF and U2F devices for full backward
   compatibility with the full range of certified FIDO
   authenticators.

     [20] https://fidoalliance.org/certification/

   Visit the FIDO Alliance website for more information on
   [21]FIDO2, including resources for [22]developers and product
   vendors interested in taking part in the [23]FIDO Certified
   program.

     [21] https://fidoalliance.org/fido2/
     [22] https://fidoalliance.org/participate/developers/
     [23] https://fidoalliance.org/certification/

   (1) FIDO2 is comprised of the W3C’s Web Authentication
   specification (WebAuthn) and FIDO Alliance’s corresponding
   Client-to-Authenticator Protocol (CTAP).

About the FIDO Alliance

   The FIDO (Fast IDentity Online) Alliance,
   [24]www.fidoalliance.org, was formed in July 2012 to address
   the lack of interoperability among [25]strong authentication
   technologies, and remedy the problems users face with creating
   and remembering multiple usernames and passwords. The FIDO
   Alliance is changing the nature of authentication with
   standards for simpler, stronger authentication that define an
   open, scalable, interoperable set of mechanisms that reduce
   reliance on passwords. FIDO authentication is stronger,
   private, and easier to use when authenticating to online
   services.

     [24] https://www.fidoalliance.org/
     [25] https://www.fidoalliance.org/specifications/

About the World Wide Web Consortium

   The mission of the World Wide Web Consortium (W3C) is to lead
   the Web to its full potential by creating technical standards
   and guidelines to ensure that the Web remains open, accessible,
   and interoperable for everyone around the globe. W3C develops
   well known specifications such as HTML5, CSS, and the Open Web
   Platform as well as work on security and privacy, all created
   in the open and provided for free and under the unique W3C
   Patent Policy. For its work to make online videos more
   accessible with captions and subtitles, W3C received a 2016
   Emmy Award.

   W3C's vision for "One Web" brings together thousands of
   dedicated technologists representing more than 400 [26]Member
   organizations and dozens of industry sectors. W3C is jointly
   hosted by the [27]MIT Computer Science and Artificial
   Intelligence Laboratory (MIT CSAIL) in the United States, the
   [28]European Research Consortium for Informatics and
   Mathematics (ERCIM) headquartered in France, [29]Keio
   University in Japan and [30]Beihang University in China. For
   more information see [31]https://www.w3.org/.

     [26] https://www.w3.org/Consortium/Member/List
     [27] https://www.csail.mit.edu/
     [28] https://www.ercim.eu/
     [29] https://www.keio.ac.jp/
     [30] http://ev.buaa.edu.cn/
     [31] https://www.w3.org/

   End Press Release

FIDO Alliance PR Contacts

   Megan Shamas, Montner Tech PR, +1.203.226.9290
   <[32]press@fidoalliance.org>

     [32] mailto:press@fidoalliance.org

W3C Media Contact

   Amy van der Hiel, W3C Media Relations Coordinator
   <[33]w3t-pr@w3.org>
  mailto:w3t-pr@w3.org

   +1.617.253.5628 (US, Eastern Time)
     __________________________________________________________

Testimonials from W3C members

   -

   [34]Duo Security, a Cisco business unit • [35]Google •
   [36]Microsoft Corporation • [37]Mozilla Foundation• [38]Nok Nok
   Labs • [39]Yubico

  Duo Security, a Cisco business unit

     "The WebAuthn specification is a major and collaborative
     leap forward in the evolution of simpler, stronger user
     authentication. As pioneers in the authentication space, Duo
     Security knows that for security to be effective, it has to
     be easy. WebAuthn’s security and privacy protections,
     built-in phishing resistance and ease-of-use give it the
     potential to drive widespread adoption across enterprise and
     consumer markets, making everyone safer as a result. True
     passwordless authentication has been sought for a long time
     - today, we’re closer to realizing that goal with WebAuthn."


    James Barclay, Senior R&D Engineer, Duo Security, a Cisco
    business unit

  Google

     "The fact that users get phished is not really their
     failing. It was a gap in the internet infrastructure that
     made them vulnerable. With today’s announcement, the
     internet community is closing that gap. The internet
     infrastructure now has the tools to provide user friendly
     phishing-resistant authentication at scale. Google has been
     part of this journey since the earliest days, we introduced
     [40]Security Key based authentication in 2014, the
     [41]Advanced Protection Program in 2017, and the [42]Titan
     Security Key in 2018. Now with W3C WebAuthn and FIDO2 client
     support coming across all major client platforms an expanded
     set of capabilities is enabled. We look forward to
     leveraging these to offer our users additional new intuitive
     login experiences that are phishing-resistant."

     [40] https://support.google.com/accounts/answer/6103523
     [41] https://landing.google.com/advancedprotection/
     [42] https://cloud.google.com/titan-security-key/


    Sam Srinivas, Product Management Director, Google and
    President, FIDO Alliance

  Microsoft Corporation

     "Our work with W3C and FIDO Alliance, and contributions to
     FIDO2 standards have been a critical piece of Microsoft’s
     commitment to a world without passwords, which started in
     2015. Today, Windows 10 with Microsoft Edge fully supports
     the WebAuthn standard and millions of users can log in to
     their Microsoft account without using a password."


    Alex Simons, Corporate Vice President, Program Management,
    Microsoft Identity Division

  Mozilla Foundation

     "Out of all multi-factor authentication solutions I know of,
     Web Authentication is our best technical response to the
     scourge of phishing. Protecting individuals' privacy and
     security is fundamental to Mozilla, and Web Authentication
     plays a key role in that protection. Mozilla supports the
     advancement of Web Authentication, and its end-goal of a
     phishing-free future for all the Web."


    J.C. Jones, Cryptography Engineer, Mozilla

  Nok Nok Labs

     "Providing an alternative to phishable and inconvenient
     passwords that works across devices, apps, browsers, and
     websites has been the mission of Nok Nok Labs since our
     inception. The Web Authentication API is an important step
     towards the goal of enabling simple and strong
     authentication on the devices we use in our daily lives. It
     is imperative that the industry as a whole continues to add
     support for FIDO Authentication into all platforms to better
     protect consumers in our digital world."


    Rolf Lindemann, Sr. Director of Products at Nok Nok Labs

  Yubico

     "Today's standardization of W3C's WebAuthn marks a milestone
     in the history of open authentication standards and internet
     security. Together, we achieved the near-impossible: the
     creation of a global standard supported by all platforms and
     browsers. Yubico is grateful to be a part of this journey
     and we look forward to the possibilities this is going to
     open for seamless, ubiquitous security for all internet
     users."


    Stina Ehrensvard, CEO and Founder, Yubico
     __________________________________________________________

   [43]Translations | [44]W3C Press Release Archive

     [43] https://www.w3.org/Press/Releases-2019#webauthn-rec
     [44] https://www.w3.org/Press/

Received on Monday, 4 March 2019 13:01:18 UTC