W3C declares WebAuthn the future that will replace your passwords

[Cal Jeffrey]

In brief: Almost a year after browsers began implementing it, the W3C has announced the finalization of the WebAuthn specification. The new authentication procedure promises to make websites more secure and easy to log into by replacing passwords with biometrics or security keys. However, web service providers will have to adopt the standard before users can take advantage of it.

Back in April 2018, we reported that Firefox began supporting a new password-free authentication standard called WebAuthn. Other major browsers followed suit with Chrome, Edge, and then Safari all testing and implementing it before the end of 2018. The authentication standard has now been declared finalized and official by the World Wide Web Consortium (W3C) and the FIDO Alliance.

The Web Authentication or WebAuthn specification allows users to log into websites without having to remember passwords. Instead, users can use biometric data such as a fingerprint, USB security keys, or mobile devices like smartphones or watches. The W3C claims it will make websites more secure.

“This advancement is a major step forward in making the web more secure— and usable—for users around the world,” said the W3C in its press release.

The consortium urges websites and services to begin implementing the functionality to create a more secure environment and to allow their users the convenience of not having to enter credentials.

“Now is the time for web services and businesses to adopt WebAuthn to move beyond vulnerable passwords and help web users improve the security of their online experiences,” said W3C CEO Jeff Jaffe. “W3C's Recommendation establishes web-wide interoperability guidance, setting consistent expectations for web users and the sites they visit. W3C is working to implement this best practice on its own site.”

There is little debate that biometrics are more secure than passwords. Virtually all smartphone manufacturers have made biometrics the default authentication method. We report regularly of passwords and other user information that have been stolen or leaked. Despite repeated warnings, some users still use weak passwords like “password” or “123456.”

The W3C feels that WebAuthn will eliminate many problems associated with traditional authentication methods.

“It's common knowledge that passwords have outlived their efficacy. Not only are stolen, weak or default passwords behind 81 percent of data breaches, they are a drain of time and resources. While traditional multi-factor authentication (MFA) solutions like SMS one-time codes add another layer of security, they are still vulnerable to phishing attacks, aren’t simple to use and suffer from low opt-in rates. With WebAuthn, the global technology community has come together to provide a shared solution to the shared password problem.”

WebAuthn also allows workers to get to work faster. According to a study by Yubico published in January, employees spend an average of 10.9 hours per year either entering credentials or changing them. This time works out to an average annual cost of $5.2 million for companies.

Don’t expect to start using the standard immediately though. Websites will still have to incorporate it into their authentication protocols. With no pressing urgency like a specific security threat, many sites will likely take their time adopting the standard.

Permalink to story.

https://www.techspot.com/news/79025-w3c-declares-webauthn-official-security-specification.html

 

[Uncle Al]

The only issue with bio metrics is IF they are stolen it could lead to all sorts of problems for the user and it's' not something easily replaceable ..... could lead to a lifetime of regret!

 

[Hexic]

There's gonna be one point where a kid is going to run up to an older adult and ask, "You had to actually have and remember passwords?! That's crazy!"

And the world will be better off for it.

 

[TheBigFatClown]

"Not only are stolen, weak or default passwords behind 81 percent of data breaches, they are a drain of time and resources."

Okay, so who is implicitly behind the acceptance of weak passwords? Anyone who designs/maintains a website. Weak passwords is a problem that is easily solved by changing the requirements of a password to make it stronger.

The article talks about using biometrics and USB security keys. What happens if the security key is stolen or lost? At least they realize any bio-metric solution is a part of the solution and not the silver bullet. And I think that will always be the case.

This ongoing quest to eliminate the password day after day, month after month and year after year is tiresome to me.

The nail in the coffin for this technology will be this statement at the end of the article: "Websites will still have to incorporate it into their authentication protocols. "

If websites can force stronger password requirements but don't even though it's one of the simplest and easiest things anybody could to do then why is the W3C expecting website designers/administrators to sign-on to this Open Authorization standard?

I like my passwords. I don't have to remember them either. I just have to be smart enough to write each one down in a text file so that I can access it when I need it.

 

[Burty117]

The only issue with bio metrics is IF they are stolen it could lead to all sorts of problems for the user and it's' not something easily replaceable ..... could lead to a lifetime of regret!

2FA my friend, you use your Fingerprint to recognise who you are then you get a notification on your Smartphone to accept whether you trust this login or not.

 

[gamerk2]

I like my passwords. I don't have to remember them either. I just have to be smart enough to write each one down in a text file so that I can access it when I need it.

Congrats, you're part of the problem.

The idea that every website in existence needs to maintain it's own user/pass database is silly; manage it OS side, and make a mechanism for OS's to share user/pass information between them. Now you only have to secure the user/pass databases at the OS level, and an individual breach only causes the individual to lose their information, rather then everyone.

 

[madboyv1]

The only issue with bio metrics is IF they are stolen it could lead to all sorts of problems for the user and it's' not something easily replaceable ..... could lead to a lifetime of regret!

That was the first thing I started thinking too... Part of a 2FA schema the risk would be reduced like Burty suggests, but like you said, biometrics tend to be something you can't change... and you're still relying on a website to actually commit to 2FA, which most do not as it is.

 

[kira setsu]

The only issue with bio metrics is IF they are stolen it could lead to all sorts of problems for the user and it's' not something easily replaceable ..... could lead to a lifetime of regret!

2FA my friend, you use your Fingerprint to recognise who you are then you get a notification on your Smartphone to accept whether you trust this login or not.

two factor authentication blows, I'd gladly redo my password every few months instead of having to track down my phone for every other login.

why do I have to work more because all of these companies have slack security? even this article ends by saying the new specification wont work unless these places use it, I'm only salty about it because it makes no sense that I'm hunting my phone down, doing capcha's and clicking on pictures of bikes and buses while proving I'm not a robot while the company on the other just jots all that down on wordpad and calls it a day.

 

[TheBigFatClown]

Congrats, you're part of the problem.

The idea that every website in existence needs to maintain it's own user/pass database is silly; manage it OS side, and make a mechanism for OS's to share user/pass information between them. Now you only have to secure the user/pass databases at the OS level, and an individual breach only causes the individual to lose their information, rather then everyone.

So the website designers/administrators who gave the article writer the 81% statistic to make the problem sound horrible have no responsibility in the matter? I'm the problem? Okay then. I'm sorry that my non-issue is your problem.

Still, I'll keep an open mind to things and research the issue a little better when I have more time.

It sounds like their attempting to offload the responsibility of entering passwords manually by the user to the OS which might be an okay idea. But I'd have to know all the details. As it is now I'm very skeptical about it. I could see that responsibility being handled by a 3rd party software also. The responsibility doesn't necessarily have to be given at the OS level. Web Browsers already do this sort of thing with the "remember password" functionality.

 

[GreenNova343]

I like my passwords. I don't have to remember them either. I just have to be smart enough to write each one down in a text file so that I can access it when I need it.

Congrats, you're part of the problem.

The idea that every website in existence needs to maintain it's own user/pass database is silly; manage it OS side, and make a mechanism for OS's to share user/pass information between them. Now you only have to secure the user/pass databases at the OS level, and an individual breach only causes the individual to lose their information, rather then everyone.

And do you have a particular encryption method in place that will 100% guarantee that no one can use any sort of bypass, hack, backdoor, virus, malware, or even keystroke logger to gain access to the passwords stored in that local OS? And even if it's not the reason for the attack, what happens when someone's PC is locked up by ransomware (or even just had a hard drive crash & hadn't backed it up), & now that they've had to completely reinstall their system from scratch they lost all of those passwords?

 

[MaikuTech]

The only issue with bio metrics is IF they are stolen it could lead to all sorts of problems for the user and it's' not something easily replaceable ..... could lead to a lifetime of regret!

God forbid if it ever comes down to that, I think the terminator movies set up a real good example of that. =/

 

[wiyosaya]

And do you have a particular encryption method in place that will 100% guarantee that no one can use any sort of bypass, hack, backdoor, virus, malware, or even keystroke logger to gain access to the passwords stored in that local OS? And even if it's not the reason for the attack, what happens when someone's PC is locked up by ransomware (or even just had a hard drive crash & hadn't backed it up), & now that they've had to completely reinstall their system from scratch they lost all of those passwords?

Or the case of using multiple different devices. I have several PCs at home, an iPad, and a PC at work. Who manages the data necessary to use any number of different devices to access your account? What is going to guarantee that I will be able to access the same account from all those devices if the data required is contained on only one device?

I have looked around a bit on this, and I see no obvious solution to access the same account from multiple different devices.

 

[DelJo63]

@wiyosaya :- I don't see why a single user-id must be associated with one-and-only-one device. Take an apple-id for example; up to five devices can be associated with one apple-id. Find Myphone can be assoicated with any one of them without confusion.

access the same account from all those devices if the data required is contained on only one device

Apple does this via their iCloud.

MY concern is more than one being active at the same time. Yes, my cell, tablet and iMac can be all logged in at the same time. However, if my credentials were nefariously acquired, there's no assurity they all are in-fact me. In highly secured systems, multiple logins are forbidden.

 

[wiyosaya]

@wiyosaya :- I don't see why a single user-id must be associated with one-and-only-one device. Take an apple-id for example; up to five devices can be associated with one apple-id. Find Myphone can be assoicated with any one of them without confusion. Apple does this via their iCloud.

MY concern is more than one being active at the same time. Yes, my cell, tablet and iMac can be all logged in at the same time. However, if my credentials were nefariously acquired, there's no assurity they all are in-fact me. I highly secured systems, multiple logins are forbidden.

@jobeard
That's Apple.

However, the question of how this will be handled is apparently far from clear. https://lists.w3.org/Archives/Public/public-webauthn/2016Jul/0277.html Reading through the relevant threads - including side threads - I did not see a definitive answer- at least as far as I read.

In particular, they talk of not allowing copying the authentication data on a device to another device.

Apple, as in your example, is the authenticator. With WebAuthn, the authenticator is a device. Not everyone has a smart phone (hard to believe, I know ), and a USB key is not necessarily easily usable on all devices without, perhaps, extra hardware for instance, an iPad without a USB adapter - and there's the whole problem of taking it with you and having to pug it in to each device one uses.

So the answer is nebulous. If the answer is a web authentication service, similar to what Apple does in your example, then there is still the possibility, no matter how remote, that it can be hacked.

Not to mention apparently this whole thing is based on RSA even though RSA has flaws. See the Criticism section here - https://en.wikipedia.org/wiki/WebAuthn

Also, interestingly enough, if you do not have a biometric device such as a fingerprint scanner, then you will need to remember a pin. If that pin applies over all sites, then great, however, if the pin needs to be different for each site, then we are right back at passwords.

While the idea might be well-intentioned, the public may have difficulty accepting it if it is difficult to use.

And finally, as others have mentioned, each site needs to implement it. Revised password guidelines have been in place since April 2017, however, most of the sites I use are nowhere near implementing even those. https://www.passwordping.com/surprising-new-password-guidelines-nist/ https://venturebeat.com/2017/04/18/...erything-we-thought-about-passwords-is-wrong/

 

[Joshua Sleeper]

Not to mention apparently this whole thing is based on RSA even though RSA has flaws. See the Criticism section here - https://en.wikipedia.org/wiki/WebAuthn

Thanks for this, I knew there was some huff about the poor cryptographic implementation requirements, I just couldn't for the life of me find it.

 

[DelJo63]

YES; it's quite a quandary

 

[Emerald Night]

"Not only are stolen, weak or default passwords behind 81 percent of data breaches, they are a drain of time and resources."

Okay, so who is implicitly behind the acceptance of weak passwords? Anyone who designs/maintains a website. Weak passwords is a problem that is easily solved by changing the requirements of a password to make it stronger.

The article talks about using biometrics and USB security keys. What happens if the security key is stolen or lost? At least they realize any bio-metric solution is a part of the solution and not the silver bullet. And I think that will always be the case.

This ongoing quest to eliminate the password day after day, month after month and year after year is tiresome to me.

The nail in the coffin for this technology will be this statement at the end of the article: "Websites will still have to incorporate it into their authentication protocols. "

If websites can force stronger password requirements but don't even though it's one of the simplest and easiest things anybody could to do then why is the W3C expecting website designers/administrators to sign-on to this Open Authorization standard?

I like my passwords. I don't have to remember them either. I just have to be smart enough to write each one down in a text file so that I can access it when I need it.

DOD already uses a similar system for logging into their websites. If you smartcard is lost or stolen the certificates on it are rendered invalid.

2FA also exists here; something you have and something you know. In this case the thing you know is the PIN number that actually allows the card to be used.

All I have to do is have my smartcard and remember my pin and I can get into any system I'm authorized to access.

 

[gamerk2]

It sounds like their attempting to offload the responsibility of entering passwords manually by the user to the OS which might be an okay idea. But I'd have to know all the details. As it is now I'm very skeptical about it. I could see that responsibility being handled by a 3rd party software also. The responsibility doesn't necessarily have to be given at the OS level. Web Browsers already do this sort of thing with the "remember password" functionality.

But the root problem is here is the fact that EVERY website has it's own user/pass database, and given the majority of people re-use passwords, a break of one can lead to even secure systems being breached. If you instead pass the responsibility to the OS you greatly reduce the number of user/pass databases you need to secure.

The idea that every website needs to host what ends up being identical user/pass databases is downright silly when you think about it.

 

[wiyosaya]

DOD already uses a similar system for logging into their websites. If you smartcard is lost or stolen the certificates on it are rendered invalid.

It sounds like this is controlled through a central server, and I see that as different from WebAuthn.

If you lose your WebAuthn fob/dongle, or the keys become corrupt somehow, I can see that it may be a potentially difficult task for anyone to recover access to all the sites where they used WebAuthn.

I am all for increased security, however, I am not sure this is the best path.

 

[DelJo63]

Looking into the effort to implement an abstraction for WebAuthn, this will be, as they say, a non-trival project for the website -- it will impact every webpage (no single point for the host) which requires user credentials.

 

[AsParallel]

The only issue with bio metrics is IF they are stolen it could lead to all sorts of problems for the user and it's' not something easily replaceable ..... could lead to a lifetime of regret!

The standard implementation doesn't use fingerprint as the first line of authn. You generally sign in using a strong password and then during the active duration can unlock an active session using your fingerprint. Then there's the reality that a k-means analysis of your fingerprint features over any 2 systems is unlikely to resolve to the same data points (hence why you give it multiple samples of the same finger). Sampling randomly using only two metrics of analysis and 10 basic features yields somewhere in the range of 1e90 possible signatures from a single fingerprint.

 

[Emerald Night]

It sounds like this is controlled through a central server, and I see that as different from WebAuthn.

If you lose your WebAuthn fob/dongle, or the keys become corrupt somehow, I can see that it may be a potentially difficult task for anyone to recover access to all the sites where they used WebAuthn.

I am all for increased security, however, I am not sure this is the best path.

As far as I know there is no real central server. There is an authority that issues the certificates but past that every service has it's own authentication server (to an extent, one is shared among a few sites)

 

[TheBigFatClown]

But the root problem is here is the fact that EVERY website has it's own user/pass database, and given the majority of people re-use passwords, a break of one can lead to even secure systems being breached. If you instead pass the responsibility to the OS you greatly reduce the number of user/pass databases you need to secure.

The idea that every website needs to host what ends up being identical user/pass databases is downright silly when you think about it.

I'm thinking about it and I don't find it all that silly. It's been good enough for years and now it just becomes silly, just like that? I guess it's all in one's perceptions. If I worked for the F.B.I. or NSA I would probably be jumping up and down for this new WebAuthn technology as it would make my job a lot easier. You could find out every website a criminal has ever used in the blink of an eye and his password to all those websites to track everything he's ever done. Of course, this would best be used against criminals but in today's heated political climate it would be used as a weapon against political candidates to see if they can dig up something bad on their running mates.

I'm still just thinking.....mmmmmm.....no thanks.

The ratio of user credential data to user non-credential data is probably at least a 1 to 1000 and higher so, it's not really a storage issue at all.

 

[gamerk2]

I'm thinking about it and I don't find it all that silly. It's been good enough for years and now it just becomes silly, just like that? I guess it's all in one's perceptions. If I worked for the F.B.I. or NSA I would probably be jumping up and down for this new WebAuthn technology as it would make my job a lot easier. You could find out every website a criminal has ever used in the blink of an eye and his password to all those websites to track everything he's ever done. Of course, this would best be used against criminals but in today's heated political climate it would be used as a weapon against political candidates to see if they can dig up something bad on their running mates.

I'm still just thinking.....mmmmmm.....no thanks.

The ratio of user credential data to user non-credential data is probably at least a 1 to 1000 and higher so, it's not really a storage issue at all.

Don't fall into the trap of "good enough". Server side authentication made sense back when the Internet started, but nowadays it's just duplication of records that introduces too many security vulnerabilities. Give *everyone* one unique user/pass that works across the entire Internet, and store it in as few places as reasonably possible. All websites *really* need at the end of the day is an acknowledgement that the user is the correct person; they don't need to, and I argue shouldn't need to be the ones to handle that authentication.