The Evolving Web Security Strategy: The Web Authentication Working Group to end passwords

Passwords are one of the most irritating and least secure parts of our everyday Web experience. Users re-use passwords, so when a single server is hacked, millions are put at risk across multiple websites. We can't expect users to remember long and complicated passwords. A new effort at W3C called the Web Authentication Working Group is launching their first meeting March 4th next to the RSA conference. Working with the  FIDO 2.0 Member Submission from members of the FIDO Alliance,  the W3C plans to help industry eliminate passwords and replace them with more secure and standardized ways of logging in, such as entering a USB key into your device or activating a nearby smartphone. We at W3C believe these capabilities should be available to Web developers everywhere via open standards, just like the rest of the Web.

While it's not the first attempt to get rid of passwords, this is the first attempt that looks like it will succeed, likely by virtue being based on industry consensus and open standards rather than proprietary technology being pushed by a single company. This new and exciting effort includes Google, Microsoft, Mozilla, Paypal, and many more  - and is currently looking for new members. The W3C's Working Groups get most of their work done by non-paid volunteers - so we in the Web Authentication Working Group are looking for people to put in the blood, sweat, and tears to get rid of passwords. As we're our first face-to-face meeting next to the RSA conference on March 4th at Microsoft in San Francisco, we hope we get the right crowd. The meeting is already filling up, so sign up now via the Web form if you intend to join the Web Authentication Working Group as an W3C member, even if you haven't joined quite yet. We already are discussing with and are supported by academics like the Prosecco team at INRIA, who are famous for breaking TLS. Academics and others who can't reasonably become W3C members are welcome to join as Invited Experts if they have a background in security and cryptography. We'll want as many eyes on these authentication standards as possible.

Fixing web authentication is part of a larger strategy for securing the Web being co-ordinated throughout many parts of the W3C. The Web of 2016 is no longer the Web of 1996 - password failures today can have exceedingly dangerous  consequences when a bank account password or social media account is taken hostage. The Web was meant to share open data between researchers, but also via new efforts at the W3C is now being increasingly used for monetary payments and even interface with automobiles.  So giant password breaches threaten everyone from ordinary web users to the 'cybersecurity' of nation-states.

Yet while lots of people are talking about cybersecurity, very few people know what to do! That is except the technologists themselves, who at the W3C are busy fixing the fundamental protocols of the Web to make it more secure. The W3C, a global consortium founded by Tim Berners-Lee to safeguard the future of the Web, has taken on security as a topmost priority. Through the W3C's myriad Working Groups - bottom-up groups that any member or anyone able to demonstrate expertise can join - a new array of security and cryptography is being built into the Web. This is necessary now more than ever, as the original Web was designed without a security model and, even worse, without privacy in mind. However, this can all be fixed. The core problem is that these Working Groups are having to deal with upgrading fundamentally insecure protocols, protocols designed before anyone even took security seriously, without breaking the Web that millions rely on.

The new Web Authentication Working Group is part of a larger security strategy at the Web. In essence, there are two levels of problems facing security on the Web. The first level is called the Network Level, the level that runs all Internet traffic, of which the Web is only a part. Network traffic is for the most part insecure, which allows not only the nation-state actors with NSA-level capabilities but anyone in a cafe with open source tools such as Wireshark and other tricks to snoop on and intercept your HTTP communications with a webserver when a 'lock' (TLS, formerly known as HTTP) isn't displayed in your browser. By co-ordinating and building on standards from the Internet Engineering Task Force who are in charge of upgrading the fundamental protocol of TLS, the Web Application Security Group is making it harder for attackers to intercept traffic and send malicious code to your browser. So when you go to a website, you can be assured that you are really getting the Website itself, not some malicious impostor trying to steal your data. From mature standards such as Content Security Policy to newer exciting work such as Subresource Integrity, the Web is step-by-step improving its fundamental security model: The Same Origin Policy.

The second level is the Web Level: How can we secure not just the underlying network level but the web applications themselves. Web applications like Gmail and Netflix can run inside browsers (often in addition to being 'native' apps you can get through an app store) and are still one of the best ways to get cross-platform applications developed quickly. However, the primary programming language of the Web, Javascript, rose to ascendancy rather by accident and didn't have fundamental cryptographic functionality built in, ranging from generating random numbers to digital signatures. Thanks to the W3C Web Cryptography Working Group, and three years after starting, now every browser has advanced cryptographic functionality built in via the Web Cryptography API - enough to create a whole new generation of cryptographically-aware Web applications. Over the next few months, the Web Cryptography Working Group will be testing interoperability and finalizing the specs to reflect the reality of implementation.

With the formation of the Web Authentication Working Group and FIDO 2.0 Platform specifications, we finally have what is rapidly appearing to be industry consensus on a cryptographic replacement for passwords that will be both more secure and easy to use, as well as respect the privacy and security of users on the Web by following the Same Origin Policy. Via the W3C's Royalty Free Patent Policy, we'll make sure these authentication standards are open and safe to implement in terms of patents, and hopefully by this next year you'll start seeing Web authentication without passwords in a browser near you.

We'd like to thank NGRC for support as well as the FIDO Alliance. Also, everyone who attended the WebCrypto v.Next workshop.