For Immediate Release
http://www.w3.org/ — 17 February, 2016 —
Recognizing the critical role of strong authentication in securing the Web
experience for everyone, the World Wide Web Consortium (W3C) announced
today that it is launching a new standards effort in Web
Authentication that will offer a more secure and flexible
alternative to password-based log-ins on the Web.
For many Web users, passwords are annoying to use and offer weak
protection for their interactions – they're too often forgotten or set to
weak, and easily-guessed combinations. Even strong passwords can be
lost in data breaches or targeted for replay in phishing attacks. W3C's
new Web Authentication work, based upon the member submission of FIDO 2.0
Web APIs from the FIDO Alliance, will enable the use of strong
cryptographic operations in place of password exchange.
"When strong authentication is easy to deploy, we make the Web safer for
daily use, personal and commercial," said Sir Tim Berners-Lee, Web
Inventor and W3C Director. "With the scope and frequency of attacks
increasing, it is imperative for W3C to develop new standards and best
practices for increased security on the Web."
According to W3C CEO Dr. Jeff Jaffe, the Web Authentication effort will
complement prior W3C work on a Web Cryptography API, currently in Candidate
Recommendation status, and on-going work on Web
Application Security specifications. The WebCrypto API
provides a Javascript API to a standard suite of cryptographic operations
across browsers. Work in WebAppSec includes improvements to the HTTPS
experience and updates to Content Security Policy (CSP), enabling
application authors to set policy for what active content is permitted to
run on their sites, protecting them against injection of unwanted or
malicious code.
"Our goal is to raise the entire Open Web Platform to a higher standard
of security and to collaborate with industry, academic experts, and other
standards organizations to ensure that specific Web security needs are
met," Jaffe said. "We invite broad participation to work together on this
top priority to keep the Web as secure as possible today and in the
foreseeable future."
Wendy Seltzer, Technology and Society Domain Lead, says she expects the
new Web Authentication work to close an important gap in the Web platform.
"We've seen much better authentication methods than passwords, yet too
many Web sites still use password-based log-ins. Standard Web APIs will
make consistent implementations work across the Web ecosystem. The new
approach will replace passwords with more secure ways of logging into Web
sites, such as using a USB key or activating a smartphone. Strong
authentication is useful to any Web application that wants to maintain an
ongoing relationship with users," Seltzer commented.
The W3C's Web Authentication technical work is being accelerated thanks
to a W3C
member submission of FIDO 2.0 Web APIs from members of the FIDO
Alliance. The submitted APIs are intended to ensure standards-based
strong authentication across all Web browsers and related Web platform
infrastructure.
"Our mission is to revolutionize authentication on the Web through the
development and global adoption of technical specifications that supplant
the world's dependency on passwords with interoperable strong
authentication," said Brett McDowell, executive director of the FIDO
Alliance. "With W3C's acceptance of the FIDO 2.0 submission, and the
chartering of this new Web Authentication Working Group, we are well on
our way to accomplishing that mission."
The new Web Authentication
Working Group's first meeting will take place 4 March 2016 in San
Francisco, conveniently timed for people who are also attending the RSA
USA Conference. All W3C standards activities take place in Working
Groups that are open to participation by W3C members and provide
public mailing lists and repositories for public comment.
"The developers and engineers involved in W3C’s efforts to improve Web
security are keenly aware of the need to upgrade protocols without
breaking the Web that billions of people rely on," said Seltzer. "We
very much encourage those interested in helping W3C to build a more secure
Web to get involved."
The World Wide Web Consortium (W3C) is an international consortium where Member organizations, a full-time staff, and the public work together to develop Web standards. W3C primarily pursues its mission through the creation of Web standards and guidelines designed to ensure long-term growth and stewardship for the Web. Over 400 organizations are Members of the Consortium.
W3C is jointly run by the MIT Computer Science and Artificial Intelligence Laboratory (MIT CSAIL) in the United States, the European Research Consortium for Informatics and Mathematics (ERCIM) headquartered in France, Keio University in Japan and Beihang University in China. W3C has Offices in Australia; the Benelux countries; Brazil; Finland; France; Germany and Austria; Greece; Hungary; India; Italy; Korea; Morocco; Russia; Southern Africa; Spain; Sweden; and the United Kingdom and Ireland. For more information see http://www.w3.org/
End Press Release
Karen Myers, W3C <w3t-pr@w3.org>
Mobile: 1.978.502.6218
The formation of this group presents a great opportunity to create a real industry standard around web authentication. This will create downstream opportunities in secure and interoperable ways for people to authenticate and should lead to both shorter development cycles and improvements in end-user experience.
Shawn Edwards, CTO, Bloomberg
The W3C's new Web Authentication work, based upon the FIDO Alliance submission of FIDO 2.0 Web APIs, is a huge step towards realizing our vision of strong authentication using strong cryptographic operations instead of passwords. The W3C work drives us towards standards-based adoption by major browsers and enables consumers and organizations to achieve both an improved user experience and improved security. As a founder of the FIDO Alliance and one of the organizations to submit the FIDO 2.0 Web API’s to the W3C, it is great to see the submissions move down the standards path.
Ramesh Kesanupalli, Nok Nok Labs Founder and FIDO Visionary
To build long-term trust for the Web, we need to develop alternatives to the static password. As a major contributor to FIDO open authentication standards, Yubico is convinced the future of strong authentication will be rooted in native support within platforms and browsers. The Web Authentication work within the W3C is a critical collaboration and contribution to this outcome.
Stina Ehrensvard, CEO, Yubico