In a joint press release on March 4th, 2019, the World Wide Web Consortium (W3C) and the FIDO Alliance announced that the Web Authentication (WebAuthn) specification is now an official web standard. WebAuthn is at the moment supported by Windows 10 and Android operating systems, as well as major browsers.
Quote from press release:
W3C’s WebAuthn Recommendation, a core component of the FIDO Alliance’s FIDO2 set of specifications, is a browser/platform standard for simpler and stronger authentication. It is already supported in Windows 10, Android, and Google Chrome, Mozilla Firefox, Microsoft Edge and Apple Safari (preview) Web browsers. WebAuthn allows users to log into their internet accounts using their preferred device. Web services and apps can — and should—turn on this functionality to give their users the option to log in more easily via biometrics, mobile devices and/or FIDO security keys, and with much higher security over passwords alone.
According to the W3C, passwords have outlived their efficiency, reporting that stolen or weak passwords are behind over 80 percent of data breaches. In addition, a recent study shows that an average user spends 11 hours per year entering and resetting passwords.
How does WebAuthn work?
The W3C has published the standard in a document named Web Authentication: An API for accessing Public Key Credentials. Here are some user case scenarios from said document:
On a phone:
– User navigates to example.com in a browser and signs in to an existing account using whatever method they have been using (possibly a legacy method such as a password), or creates a new account.
– The phone prompts, “Do you want to register this device with example.com?”
– User agrees.
– The phone prompts the user for a previously configured authorization gesture (PIN, biometric, etc.); the user provides this.
– Website shows message, “Registration complete.”
On a laptop or desktop:
– User pairs their phone with the laptop or desktop via Bluetooth.
– User navigates to example.com in a browser and initiates signing in.
– User gets a message from the browser, “Please complete this action on your phone.”
On a phone:
– User sees a discrete prompt or notification, “Sign in to example.com.”
– User selects this prompt / notification.
– User is shown a list of their example.com identities, e.g., “Sign in as Alice / Sign in as Bob.”
– User picks an identity, is prompted for an authorization gesture (PIN, biometric, etc.) and provides this.
On the laptop or desktop:
– Web page shows that the selected user is signed in, and navigates to the signed-in page.
The sad fact remains that people are still quite careless when it comes to privacy protection and WIndows login and passwords. Quite common questions on online forums are “Must I use a password?” and “How to sign in automatically?“. Jen Gentleman from Microsoft recently tweeted about the importance of locking your PC if you step away from it. But how much does it help if you have no password set, or the password is something trivial like 123456?
If you need to walk away from your computer for whatever reason, press WIN+L to lock it.
It only takes a second and a person taking a look at your unlocked PC may not always have a friendly prank in mind
— Jen Gentleman ? (@JenMsft) March 5, 2019
Google announced in February that Android 7 and later is now FIDO2 certified. WIndows 10 is fully WebAuthn compliant. Chrome, Firefox, Edge and Safari browsers support it, and Opera will get support later this year. Already established and widely used Two-Factor Authentication, as good as it is, can be breached, but if you have a FIDO key, you are as safe as it is possible to be. A FIDO key has unique passwords for each site which are never stored on any server.
Unfortunately, at the moment there still are a large number of websites that do not support WebAuthn. My best hope is that more and more sites will implement it in the near future. The resulting security implications should benefit everyone!
Author: Kari Finn
A former Windows Insider MVP, Kari started in computing in the mid 80’s writing code for VAX / VMS systems. Since then, he’s worked in a variety of IT positions. He specializes in Windows image capture, customization, repair and deployment as well as Hyper-V virtualization. Kari is a proud Team Member at number #1 Windows site TenForums.com.