Today, W3C welcomes the FIDO 2.0 Platform specifications as a Member Submission. On the Web, passwords are both an everyday inconvenience for users and a weakness against modern security threats. Users re-use passwords across different sites and password databases are irresistible targets for an enterprising attacker. W3C is committed to bringing the Web to its full potential, and that includes providing more secure and easier ways to authenticate in your browser. After our WebCrypto v.Next workshop, W3C started drafting a charter for a Web Authentication Working Group (still a draft).
But how do we “kill passwords”? These questions are answered by the FIDO 2.0 specifications, which define a unified mechanism to use cryptographic credentials for unphishable authentication on the Web. The specifications enable a wide variety of user experiences and modalities. For example, a user may log into the web by unlocking a nearby bluetooth or NFC connected smart phone which contains the user’s cryptographic credentials. Alternately, the user may use a USB authentication device containing cryptographic credentials which he or she inserts and activates with a touch of a button.The W3C has provided technical and procedural comments on FIDO 2.0.
For more than 20 years, W3C has led the development of open standards for the Web, and one of the benefits of being a W3C Member is that any Member can suggest new standards to W3C at any time. W3C Members Google, Paypal, Microsoft, and Nok-Nok Labs have proposed three FIDO 2.0 specifications, Web APIs, Key Attestation Format, and Signature Format, and we have published these as a Member Submission on the W3C site. Publication of a Member Submission by W3C does not imply endorsement by W3C, including the W3C Team or Members. However, the high technical quality of these specifications and the expertise of the companies proposing them makes them a natural fit for consideration as part of W3C’s standards track.
As our next step, with FIDO 2.0 as an input document, we will formally propose the Web Authentication Working Group charter to the W3C Membership for review; W3C relies on its Members, over 400 industry leaders, to help guide the development of the Web, and their feedback will be used to improve the scope and direction of the proposed work. If the Membership supports the charter, we anticipate launching the group in January 2016.
The W3C is an open standards body. All W3C members and Invited Experts will be welcome to participate and all standardization will be done in the open and publicly archived, with the final W3C standards being licensed under the W3C Royalty-Free Patent Policy.
Announcements about the launch of the Web Authentication Working Group and publication of its specifications will be made on the W3C home page.
As the Web works across all devices, the Open Web Platform is the perfect platform to drive future standardization across all other platforms. W3C and FIDO Alliance will continue to work together to help make secure multi-factor authentication a ‘built-in’ feature on all platforms. If FIDO, W3C, and the rest of the tech industry are successful, future generations may not even know what a password is.