Today, 10 April 2018, the W3C officially announced:

The FIDO Alliance and the W3C have achieved a milestone in Web certification standards,Achieve a simpler and more powerful Web authentication mode globally.

Supported by Google Chrome, Microsoft Edge, and Mozilla Firefox, the FIDO2 project aims to protect Internet users around the world, ushering in a new era of pervasive, secure, and strong authentication!

This will break through the ultimate barrier between users and the Web, and bring a qualitative leap to the Web experience.

W3C Official Text

https://www.w3.org/ and Mountain View, FIDO Alliance, Calif. — April 10, 2018 — The FIDO Alliance, in partnership with the World Wide Web Consortium (W3C), has made significant progress in Web authentication standards to bring simpler, more powerful ways to authenticate the Web to users around the World.

The document Web Authentication submitted by FIDO (hereinafter referred to as WebAuthn) has officially entered the stage of W3C Candidate Recommendation (CR). The specification document was published by the W3C Web Authentication Working Group, which is made up of more than 30 member representatives from various organizations. Entering the CR phase means that the specification will eventually become a W3C Recommendation (REC), in which the W3C invites online service providers and Web application developers to implement WebAuthn technically.

WebAuthn defines a standard Web API that can be incorporated into browsers and associated Web platform infrastructure on both browsers and cross-site devices to provide users with new ways to authenticate securely on the Web. WebAuthn is developed by W3C and FIDO Consortium. Together with FIDO’s Client to Authenticator Protocol (CTAP), WebAuthn is the core component of FIDO2 project. CTAP enables an external authenticator (such as a security key or mobile phone) to locally transfer a strong authentication certificate to a user’s Internet access device (computer or mobile phone) over USB, Bluetooth, or NFC. The FIDO2 specification enables users to easily and securely authenticate online services from their desktop or mobile device.

Brett McDowell, executive director of the FIDO Alliance, said:

With today’s announcement of the FIDO2 specification and Web browser support, we are taking a big step toward making FIDO authentication universal across all platforms and devices. After years of growing data breaches and password theft, this is an important time for service providers. To end the reliance on vulnerable and one-time passwords, and adopt phishing proof FIDO authentication for all websites and applications.

Google, Microsoft, and Mozilla have all committed to support WebAuthn in their browsers and have started implementing it on Windows, Mac, Linux, Chrome OS, and Android platforms. The emergence of WebAuthn and the CTAP specification enables developers and vendors to quickly deploy support for the next generation of FIDO authentication into their products and services.

W3C CEO Jeff Jaffe said:

Network security has always been an inescapable problem, which obstructs the network’s many positive effects on society. The reliance on passwords is one of the weakest links in today’s network security. We are gradually eliminating this vulnerability with the multi-factor solution of WebAuthn, which will change the way people access the Web.

The completion of FIDO2 standardization efforts, the advancement of the W3C WebAuthn standard, and the commitment of browser vendors to implement this standard herald the beginning of a new era of universal, hardware-enabled FIDO authentication protection for all Internet users.

Businesses and online service providers that want to protect themselves and their customers from password risks — including phishing, man-in-the-middle attacks, and the misuse of stolen credentials — can quickly deploy standards-based strong authentication, either through a browser or through an external authenticator. By deploying FIDO authentication, online services can offer users a choice among the interactive operating systems they use every day, such as mobile phones and security keys.

The standardization of the new FIDO2 specification in browsers and operating systems will further expand the scope of FIDO authentication, which is cited by regulators and standard setters around the world, through services provided by Google, Facebook, NTT DOCOMO, Bank of America, and others. Used on hundreds of millions of devices worldwide with more than 3.5 billion users. The new specification complements the existing password-less FIDO UAF and second-factor FIDO U2F use cases and extends the availability of FIDO authentication. FIDO2 Web browser and online service are fully backward compatible with all previously certified FIDO security keys.

FIDO is about to start interoperability testing and will issue certificates to servers, clients and authenticators that comply with the FIDO2 specification. Conformance testing tools can be found on FIDO’s web site. In addition, FIDO will introduce new universal server authentication for servers that interoperate with all FIDO authenticator types (FIDO UAF, FIDO U2F, WebAuthn, CTAP).

Benefits of the WebAuthn and FIDO2 projects

W3C’s WebAuthn API is a standard WebAPI that integrates with browsers and associated Web platform infrastructures to provide powerful, unique, public-kee-based credentials for each site, eliminating the risk that passwords stolen from one site can be used for other sites. Web applications that run in a browser and are loaded onto the device using FIDO authenticator can replace password exchange with cryptographic operations, or in addition to password exchange, provide many benefits to service providers and users:

  • Simpler authentication: A user logs in using just one gesture

    • Internal or built-in authenticators (such as fingerprints or facial biometrics) in PCS, laptops and/or mobile devices

    • External authenticators (such as security keys and mobile devices) for device-to-device authentication using CTAP, an external authenticator protocol developed by the FIDO Consortium to complement WebAuthn

  • Stronger authentication: FIDO authentication is much more powerful than relying solely on passwords and related authentication methods and has the following advantages

    • User certificates and biometric templates are never left on the user’s device or stored on the server

    • Accounts can be protected from phishing, man-in-the-middle attacks and repeated attacks using stolen passwords

  • Developers can start creating applications and services that leverage FIDO authentication on FIDO’s new Developer Resources page.

About FIDO Alliance

The Fast IDentity Online Alliance (FIDO Alliance), www.fidoalliance.org, was founded in July 2012 to address the lack of interoperability between strong authentication technologies, It is dedicated to solving the problems users encounter when creating and remembering multiple user names and passwords. The FIDO Alliance is changing the nature of authentication with simpler, more powerful authentication standards, defining a set of open, extensible, interoperable mechanisms to reduce reliance on passwords. FIDO authentication is more powerful, private and simplified when authenticating to online services.

About World Wide Web Consortium (W3C)

The World Wide Web Consortium (W3C), www.w3.org, is an international organization composed of member organizations, full-time staff, and the public dedicated to the development of Internet standards. W3C creates standards and guidelines to ensure the long-term stability of the Internet. The Open Web Platform is the core work of W3C. The W3C has established the basic technology protocols for building Web sites and applications, including HTML5 and CSS, and won a 2016 Emmy Award for its work on barrierless online video captioning.

The W3C’s concept of “One Web” attracts thousands of technical experts from more than 400 member organizations around the world. W3C is jointly managed by: MIT’S Computer Technology and Artificial Intelligence Laboratory (MIT CSAIL), The European Union for Research in Information and Mathematics (ERCIM) in France, Keio University in Japan and Beihang University in China, We have offices all over the world. More information can be found at http://www.w3.org.

Recommended reading

(Click the picture to jump to)

In an era of ecological chaos, our search for the ultimate Web experience has never stopped, and any confusion and strife will be ended by standards. It’s the worst of times for the Web, and it’s the best of times.

— AMP&MIP struggles to standardize as front-end ecology gets messy

Brilliant Open Web 

The BOW (Brilliant Open Web) team is a dedicated Web technology building group dedicated to promoting Open Web technology and bringing the Web back to the forefront of developers.

BOW focuses on the front end, on the Web; Analyze technology and share practice; Talk about learning. Talk about management.

Follow OpenWeb developers, reply to “Add group”, let’s promote the development of OpenWeb technology together!


OpenWeb developers

ID: BrilliantOpenWeb

Technology connects the world, openness wins the future