W3C Accelerates Efforts To Build a More Secure Web

Author(s) and publish date

Published:

Launches Web Authentication work based on FIDO Alliance specifications for more secure and flexible alternative to password log-ins on the Web

Read testimonials from W3C Members

http://www.w3.org/ — 17 February, 2016 — Recognizing the critical role of strong authentication in securing the Web experience for everyone, the World Wide Web Consortium (W3C) announced today that it is launching a new standards effort in Web Authentication that will offer a more secure and flexible alternative to password-based log-ins on the Web.

For many Web users, passwords are annoying to use and offer weak protection for their interactions – they're too often forgotten or set to weak, and easily-guessed combinations.  Even strong passwords can be lost in data breaches or targeted for replay in phishing attacks. W3C's new Web Authentication work, based upon the member submission of FIDO 2.0 Web APIs from the FIDO Alliance, will enable the use of strong cryptographic operations in place of password exchange.

"When strong authentication is easy to deploy, we make the Web safer for daily use, personal and commercial," said Sir Tim Berners-Lee, Web Inventor and W3C Director. "With the scope and frequency of attacks increasing, it is imperative for W3C to develop new standards and best practices for increased security on the Web."

Web Authentication Complements Current W3C Web Security Activities

According to W3C CEO Dr. Jeff Jaffe, the Web Authentication effort will complement prior W3C work on a Web Cryptography API, currently in Candidate Recommendation status, and on-going work on Web Application Security specifications.  The WebCrypto API provides a Javascript API to a standard suite of cryptographic operations across browsers. Work in WebAppSec includes improvements to the HTTPS experience and updates to Content Security Policy (CSP), enabling application authors to set policy for what active content is permitted to run on their sites, protecting them against injection of unwanted or malicious code.

"Our goal is to raise the entire Open Web Platform to a higher standard of security and to collaborate with industry, academic experts, and other standards organizations to ensure that specific Web security needs are met," Jaffe said. "We invite broad participation to work together on this top priority to keep the Web as secure as possible today and in the foreseeable future."

Wendy Seltzer, Technology and Society Domain Lead, says she expects the new Web Authentication work to close an important gap in the Web platform. "We've seen much better authentication methods than passwords, yet too many Web sites still use password-based log-ins. Standard Web APIs will make consistent implementations work across the Web ecosystem. The new approach will replace passwords with more secure ways of logging into Web sites, such as using a USB key or activating a smartphone. Strong authentication is useful to any Web application that wants to maintain an ongoing relationship with users," Seltzer commented.

FIDO 2.0 Web APIs to Jumpstart Web Authentication Work

The W3C's Web Authentication technical work is being accelerated thanks to a W3C member submission of FIDO 2.0 Web APIs from members of the FIDO Alliance. The submitted APIs are intended to ensure standards-based strong authentication across all Web browsers and related Web platform infrastructure.

"Our mission is to revolutionize authentication on the Web through the development and global adoption of technical specifications that supplant the world's dependency on passwords with interoperable strong authentication," said Brett McDowell, executive director of the FIDO Alliance.  "With W3C's acceptance of the FIDO 2.0 submission, and the chartering of this new Web Authentication Working Group, we are well on our way to accomplishing that mission."

The new Web Authentication Working Group's first meeting will take place 4 March 2016 in San Francisco, conveniently timed for people who are also attending the RSA USA Conference. All W3C standards activities take place in Working Groups that are open to participation by W3C members and provide public mailing lists and repositories for public comment.

"The developers and engineers involved in W3C’s efforts to improve Web security are keenly aware of the need to upgrade protocols without breaking the Web that billions of people rely on," said Seltzer.  "We very much encourage those interested in helping W3C to build a more secure Web to get involved."

About the World Wide Web Consortium

The World Wide Web Consortium (W3C) is an international consortium where Member organizations, a full-time staff, and the public work together to develop Web standards. W3C primarily pursues its mission through the creation of Web standards and guidelines designed to ensure long-term growth and stewardship for the Web. Over 400 organizations are Members of the Consortium.

W3C is jointly run by the MIT Computer Science and Artificial Intelligence Laboratory (MIT CSAIL) in the United States, the European Research Consortium for Informatics and Mathematics (ERCIM) headquartered in France, Keio University in Japan and Beihang University in China. W3C has Offices in Australia; the Benelux countries; Brazil; Finland; France; Germany and Austria; Greece; Hungary; India; Italy; Korea; Morocco; Russia; Southern Africa; Spain; Sweden; and the United Kingdom and Ireland. For more information see http://www.w3.org/

End Press Release

Media Contact

Karen Myers, W3C <w3t-pr@w3.org>
Mobile: 1.978.502.6218

Testimonials from W3C members

Bloomberg · Nok Nok Labs · Yubico

Bloomberg

The formation of this group presents a great opportunity to create a real industry standard around web authentication. This will create downstream opportunities in secure and interoperable ways for people to authenticate and should lead to both shorter development cycles and improvements in end-user experience.

Shawn Edwards, CTO, Bloomberg

Nok Nok Labs, Inc.

The W3C's new Web Authentication work, based upon the FIDO Alliance submission of FIDO 2.0 Web APIs, is a huge step towards realizing our vision of strong authentication using strong cryptographic operations instead of passwords.  The W3C work drives us towards standards-based adoption by major browsers and enables consumers and organizations to achieve both an improved user experience and improved security.  As a founder of the FIDO Alliance and one of the organizations to submit the FIDO 2.0 Web API’s to the W3C, it is great to see the submissions move down the standards path.

Ramesh Kesanupalli, Nok Nok Labs Founder and FIDO Visionary

Yubico

To build long-term trust for the Web, we need to develop alternatives to the static password. As a major contributor to FIDO open authentication standards, Yubico is convinced the future of strong authentication will be rooted in native support within platforms and browsers. The Web Authentication work within the W3C is a critical collaboration and contribution to this outcome.

Stina Ehrensvard, CEO, Yubico

Related RSS feed