2 min Applications

W3C declares the passwordless WebAuthn to be the official standard

W3C declares the passwordless WebAuthn to be the official standard

The World Wide Web Consortium (W3C) has announced that WebAuthn is now an official Internet standard, reports Venturebeat. With the standard it is possible to log in without using a password.

WebAuthn was first announced by W3C and the FIDO Alliance in November 2015. W3C is the body that manages all web standards, with input from the FIDO Alliance. The FIDO Alliance was founded in 2013 to create interoperable authentication standards across the industry. WebAuthn was officially launched in April 2018.

The idea of WebAuthn is that it is no longer necessary to create a separate account with a unique password for each website. Instead, users can log into accounts with biometric data such as fingerprint or iris scans, mobile devices or FIDO security keys. WebAuthn is already supported by Android, Windows 10, Google Chrome, Mozilla Firefox and Microsoft Edge. Apple has added support in preview versions of Safari.

“It’s now time for web services and businesses to adopt WebAuthn, move beyond vulnerable passwords and help web users improve the security of their online experiences,” said W3C-CEO Jeff Jaffe. W3C has not yet adopted its own creation. However, the standard has already been implemented in websites such as Dropbox, Facebook, GitHub, Salesforce, Stripe and Twitter.

Now that WebAuthn is an official standard, the hope is that other websites will also implement it.

Criticism

However, security researchers from Paragon Initiative were critical of the protocol last year. They warned against problems, because the standard would rely on a number of outdated algorithms that have been vulnerable to attacks for years. These include Elliptic Curve Direct Anonymous Attestation (ECDAA) and RSASSA-PKCS1-v1_5.

About PKCS1v1.5, Paragon said: “The exploits are almost old enough to legally drink alcohol in the United States. The researchers argue that the confusing documentation of the standard is the basis of the problem. It classifies PKCS1v1.5 as “mandatory” for legacy reasons. ECDAA is “recommended”.

As a result, implementers may mistakenly think that the algorithms are the minimum thresholds for implementation, while there are many more suitable algorithms to choose from.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.