Slashdot Mirror

← Back to Stories (view on slashdot.org)

W3C Approves WebAuthn as the Web Standard For Password-Free Logins (venturebeat.com)

Posted by msmash on from the marching-forward dept.

The World Wide Web Consortium (W3C) today declared that the Web Authentication API (WebAuthn) is now an official web standard. From a report: First announced by the W3C and the FIDO Alliance in February 2016, WebAuthn is now an open standard for password-free logins on the web. It is supported by W3C contributors, including Airbnb, Alibaba, Apple, Google, IBM, Intel, Microsoft, Mozilla, PayPal, SoftBank, Tencent, and Yubico. The specification lets users log into online accounts using biometrics, mobile devices, and/or FIDO security keys. WebAuthn is supported by Android and Windows 10. On the browser side, Google Chrome, Mozilla Firefox, and Microsoft Edge all added support last year. Apple has supported WebAuthn in preview versions of Safari since December.

55 comments

  1. Thanks, but no thanks by DogDude · · Score: 2, Insightful

    Use a *mobile device* for logging in somewhere? That seems like an extraordinarily bad idea. I wouldn't trust a mobile device for anything that requires security. They come already compromised by Google/Apple, and then most people load them up with all sorts of "apps" that are actually tracking/monitoring programs.

    I'm sure most people will love it.

    --
    I don't respond to AC's.
    1. Re:Thanks, but no thanks by AmiMoJo · · Score: 4, Interesting

      Most people use really bad passwords over and over for multiple sites. Thus being able to use their mobile device is a vast improvement to their security.

      By the way, do you have any evidence that Google/Apple are actually a security threat to you? For example, it seems like law enforcement is forced to spend hundreds of thousands of dollars to compromise phones because Google/Apple refuse to help them, so I'm wondering exactly what your threat model is.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:Thanks, but no thanks by DogDude · · Score: 0

      I don't think that Google and Apple have any interest in helping law enforcement. What they do do is sell users' info the the highest bidder. The danger comes from either somebody directly purchasing personal info, or just from somebody malicious getting their hands on the tons and tons of marketing info that's already being sold.

      I agree that if most people are using weak passwords everywhere, it'd be an improvement, but for those of us who take security seriously, it's a non-starter. (I don't use a "smart phone" for that very reason, but I'm a bit of an outlier, obviously.)

      --
      I don't respond to AC's.
    3. Re:Thanks, but no thanks by Anonymous Coward · · Score: 0

      Where do I go to get into the bidding war for users info? Who has ever bought this data? What did it include? Is there any samples of what we are bidding for?

    4. Re:Thanks, but no thanks by Anonymous Coward · · Score: 0

      The alphabet agencies have a vested interest in you thinking they have a hard time accessing your information. Companies operating in the US stand to lose more than just revenue if they don't cooperate with the government. So they play this game where they pretend to despise each other to create the illusion they are working in your best interest. Why do you think they go after the Snowden's and Assange's so aggressively? Shine a light on them and they go scurrying like roaches.

    5. Re:Thanks, but no thanks by AmiMoJo · · Score: 0

      What they do do is sell users' info the the highest bidder

      That too has been debunked. It doesn't even pass the sniff test - why would they sell their most valuable asset, the thing that the value of their advertising services derives from?

      Obviously if you have any evidence showing that they have in fact sold personal info I'd very much like to see it, so I can file a GDPR complaint against them. Because it's illegal in the EU.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    6. Re:Thanks, but no thanks by Anonymous Coward · · Score: 2, Informative

      "For example, it seems like law enforcement is forced to spend hundreds of thousands of dollars to compromise phones because Google/Apple refuse to help them, so I'm wondering exactly what your threat model is."
       
      For a lot of people you just spelt it out. :) Different AC here and I don't find Apple refusing to unlock a phone a threat to me. I do find Google's tracking to be a threat though. Half the web is locked away if you refuse to play with Google. That is by design. I find the inability my phone to work with Google a threat. I mean I bought it from Samsung, why is Google controlling it. Why does Play keep asking to sync my contacts when I have said no many times but if I ever say yes it won't ask again. So yes, I feel threatened by Google because I know they are using what I do, say, who I relate to and with to make money or acquire power. Google should be broken up. We are of course talking about a company that was caught uploading 1GB a month of data from Aussie customers without telling them and tracking users even when location services have been turned off.

    7. Re:Thanks, but no thanks by AmiMoJo · · Score: 0

      The alphabet agencies have a vested interest in you thinking they have a hard time accessing your information.

      Okay, but let's look at the threat model. Alphabet agency wants to use secret backdoor to unlock your phone, but can't let it become public so no way to present that evidence in open court. Meaning that by the time they use it against you, you are probably already rotting in Guantanamo anyway and the 5$ wrench crypto attack is probably a lot easier than using an exploit.

      Also if you are worried about that kind of thing, you are pretty screwed anyway because what are you going to trust with your secrets? Everything could theoretically be backdoored or exploitable.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    8. Re:Thanks, but no thanks by Anonymous Coward · · Score: 0

      Or, they get hacked. When you have such a vast treasure trove of info, which can be easily used to blackmail people, even heads of states. It is a matter of time before attackers start throwing millions of dollars to attack those databases, because the payoff would be billions to trillions. Couple that with the private industry's disinterest in security, ("security has no ROI"), and you have a disaster waiting to happen.

    9. Re:Thanks, but no thanks by WaffleMonster · · Score: 1

      Most people use really bad passwords over and over for multiple sites. Thus being able to use their mobile device is a vast improvement to their security.

      The vector actually being exploited in the real world is the user. This is addressable by deployment of secure authentication protocols which protect users from themselves.

      Throwing up new barriers that either have a negative impact on security (Automated password/device reset/recovery) or increase annoyance and risk of nuisance lockout... (my device broke and I can't login anymore) are not helpful to real people. They are simply annoying and pointless.

      Fixing actual problems with password authentication by widespread use of secure authentication helps everyone.

      By the way, do you have any evidence that Google/Apple are actually a security threat to you?

      The question people face in the real world is "Can I trust x?" not "Can I prove x is untrustworthy?" Humans don't tend to entrust things of value to strangers based on absence of evidence of untrustworthiness. This isn't a useful, practical or reasonable standard.

      For example, it seems like law enforcement is forced to spend hundreds of thousands of dollars to compromise phones because Google/Apple refuse to help them, so I'm wondering exactly what your threat model is.

      My understanding is it's mostly Apple. Android is way less secure. Misleading to address them as you have on the same level.

      Most peoples adversaries are not law enforcement. Our adversaries are stalkers and criminal enterprise that routinely exploit hostile permissive system of take it or leave it demands baked into Android by Google at the behest of app store vendors.

    10. Re: Thanks, but no thanks by Anonymous Coward · · Score: 2, Informative

      If you have to ask, that means you aren't invited.

    11. Re:Thanks, but no thanks by Anonymous Coward · · Score: 0

      Real world example:

      Do I trust my iPhone more than I trust my work's computer when logging in to my personal email (on a work PC) during my lunch break[1]? Or a cybercafe?

      Microsoft Authenticator app lets me log in to my personal email without typing in a password. Yeah, it's "1FA", but it's safer to me than password.

      [1] Yes, I'm allowed, it's permitted, this isn't about employment terms and conditions.

    12. Re:Thanks, but no thanks by Anonymous Coward · · Score: 0

      Major cell phone companies in the USA have recently been caught selling GPS location data to 3rd parties for purposes like targeted ads or private bounties hunters.

  2. Drumroll please by TimMD909 · · Score: 1, Funny

    W3C meet your new friend Unintended Consequences. I'm sure you two will get along great...

  3. So I'll be even more locked out now? by Anonymous Coward · · Score: 1

    "using biometrics"
    I sure have no such hardware, nor any want to use one...

    "mobile devices"
    Would never use a surveillance device, and neither would any sane person.

    "FIDO security keys"
    I haven't the faintest idea what this even is. Fidonet?

    1. Re:So I'll be even more locked out now? by Anonymous Coward · · Score: 0

      I'm sorry that you brought in the concept of sanity here. Let's look at that word. It can be generally defined as "sanity" is equal to what most people perceive as correct. So since you are a far, far outlier on this, you are in fact the crazy one. Most people who can afford one use mobile devices. Hence they are sane as the majority defines this. The outliers that don't use one but have the income to support it are, by definition, crazy.

    2. Re:So I'll be even more locked out now? by Anonymous Coward · · Score: 0

      Wikipedia disagrees with your definition.

  4. One or Many? by ardmhacha · · Score: 1

    "W3C Approves WebAuthn as the Web Standard For Password-Free Logins"

    "WebAuthn is now an open standard for password-free logins on the web"

    So is there one standard or many?

    1. Re:One or Many? by bluefoxlucid · · Score: 1

      There are probably many, and this is one which is endorsed by the central authority.

      I wish they'd have included PKI as part of the FIDO standards. Those security keys would have been amazing for that. Plug in and read your e-mail, all messages end-to-end encrypted.

      --
      Support my political activism on Patreon.
    2. Re:One or Many? by DontBeAMoran · · Score: 2

      So is there one standard or many?

      Yes.

      --
      #DeleteFacebook
    3. Re:One or Many? by Anonymous Coward · · Score: 0

      No. They don't. And I could say that all I saw seems just built just to try to kill PKI.
      From a technical point, it should be easy to make PKI compatible. Only it should be allowed to make "attestation" of FIDO keys with PKI certificates.
      But FIDO (basically Google and other big companies that are obsessed to capture all our data) push to make attestation with "per device keys", which push registration of keys to make a complete verification.
      So... finally the push to identify against cloud services (THEY services) to allow preidentification of keys.
      The only other way that FIDO allows is avoid attestation (to know the procedence of the key) and register the assertion key (the generated key) by a classical method. Passwords, registration, SMS (more data collection), etc.

      If we want PKI, we will have to demand that browsers allow PKI attestation of FIDO keys.

    4. Re:One or Many? by Anonymous Coward · · Score: 0

      Most of the security keys also work as smart cards through CCID and can be used for this, however the public/private functionality and the requirement to know the recipients public keys are beyond FIDO itself. The Yubikey doesn't store relationship information when using it for website authentication, it generates authentication responses on the fly based on the website itself, which is why phishing isn't such a concern.

    5. Re:One or Many? by Fly+Swatter · · Score: 1

      There is one W3C approved password-free login standard.

      There are many open standards.

      Context matters.

    6. Re:One or Many? by fbobraga · · Score: 1

      Nice! I knew it!

  5. Something you have. by Anonymous Coward · · Score: 2, Insightful
    So instead of something you have / know / are - choose any two - it's now "Something you have." It's a great improvement over the atrociously insecure "We'll [collect your phone number for our database] and send a text to your cell phone [which might not even be your phone because SS7 is hopelessly insecure]" but killing the password entirely simply shifts the problem to how do you secure a bunch of Yubikeys?

    How do I, for example, log in using a CLI? How is this any different than, say, storing my private key in ~/.ssh? How do I, for that matter, do anything with this that doesn't involve a web browser?

    1. Re:Something you have. by moronoxyd · · Score: 3, Interesting

      So instead of something you have / know / are - choose any two - it's now "Something you have."

      WebAuthn is not a replacement for 2FA, but for password logins. So where before you only had "something you know" you can now chose between "something you have (FIDO key) / know (password) / are (biometrics)".

    2. Re:Something you have. by Meneth · · Score: 3, Informative

      Both of which are harder to replace when their server counterparts are deleted or leaked.

    3. Re:Something you have. by moronoxyd · · Score: 1

      "Both of which"? I listed three things, so you should specify which two you are talking about (probably somethng you have and something you are).

      My comment didn't make any statement about the usefullness or security of WebAuthn but was only meant to point out that ACs comment was based in misrepresentation.

    4. Re:Something you have. by Anonymous Coward · · Score: 0

      None of these standards have you uploading your fingerprints to the cloud, they are all using public key cryptography. What does the server know? Your public keys. The rest are used to access the private keys, on your side.

    5. Re:Something you have. by Anonymous Coward · · Score: 0

      With FIDO2, you are supposed to have a PIN for the FIDO key, which is the "something you know". It's identical to SSH key security.

  6. Awfuln. Just Awfuln. by Anonymous Coward · · Score: 0

    First the Dark Web. Then the Deep State. Now this. Awfuln. Just awfuln.

  7. FIDO means "certified backdoor" by Anonymous Coward · · Score: 0

    Back when backdoors were shaken out of software (like OpenSSL, the RSA debacle, etc), after the NSA leaks, it came out that anything "FIDO" was basically backdoored by design and should always be disabled and sometimes even patched out of the code base.

    Nowadays, the "FIDO alliance" is basically who's pushing this whole "all eggs in one basket" solution to web security, of all things.

  8. Better not compromise my ability to do it my way by Anonymous Coward · · Score: 0

    I don't have a smartphone. I don't want to buy additional hardware. I want to keep my very, very long passphrases. The goal of "eliminating" the password makes me think that this is an attempt to undermine my ability to use secure passphrases.

    It doesn't necessarily need to completely overtake the traditional methods in order to remove them as an option. On the web, there's a percentage of users that is considered not worth supporting. The exact percentages differ depending on vendor, but many hover around 10%. If less than 10% of your userbase uses a thing, they can be considered collateral damage.

  9. You don't. It's not for computer users. by Anonymous Coward · · Score: 0

    It's for app consumers. (The app deveropers are the ones using the computer in that case.)

    Computer users will just use the same proper security solutions they have used for decades.

    E.g.: Don't go grabbing data out of a web page with login via console. Not even if it's SOAP. Use a proper protocol that builds directly on TCP/IP. Preferably one with its own port number.

  10. Re:Better not compromise my ability to do it my wa by Anonymous Coward · · Score: 0

    10% is really high to consider dropping support for.

  11. They'd have to shard the password device or by Anonymous Coward · · Score: 0

    Have passwords for it to be sincere and not just an insincere path to understanding movies from the 90's.

  12. wear-and-tear by Anonymous Coward · · Score: 0

    the usb-slot is gonna get alot of wear-and-tear with all this plug-in and remove maneuver.
    i am all for "something you have" but it could lead to:
    - a hardware ever-cookie. people just leave the usb-key plugged-in when at home. google et al. got permission to access the key when plugged in and will access it even when not actively logging in to a google et al. website?
    - a identification. the possessor is assumed to be a certain person, for example at airport or such, confiscating the key to figure out who someone really is by plugging it in? in turn having the key can lead to framing someone with data: hacking under the name of someone else?
    - can be legally (?) confiscated, unlike say a password that is encrypted inside a brain, to access the latest and greatest bomb threats?
    - ...

    1. Re:wear-and-tear by Anonymous Coward · · Score: 0

      - can be legally (?) confiscated, unlike say a password that is encrypted inside a brain, to access the latest and greatest bomb threats? - ...

      Nothing a $5 wrench couldn't retrieve

  13. Sell your data to any bidder by stooo · · Score: 3, Insightful

    >> sell users' info the the highest bidder.

    Nope. They sell your data to any bidder. Why would they limit themselves to only one ?

    --
    aaaaaaa
    1. Re:Sell your data to any bidder by AmiMoJo · · Score: 1, Interesting

      How does one access these user data auctions? Presumably they are wide open to everyone, in order to maximize profit.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  14. The opposite is true by SuperKendall · · Score: 2

    Use a *mobile device* for logging in somewhere? That seems like an extraordinarily bad idea. I wouldn't trust a mobile device for anything that requires security.

    That's kind of hilarious because the OPPOSITE is true. You are an idiot if you trust any desktop OS to truly secure material, with years of hidden security holes and apps not really that well sandboxed.

    I only deal with banks now through mobile apps if I can help it, because it is WAY more secure. I can control what updates go on my device, I can be far more sure that some random app cannot see what is going on with the banking app.

    most people load them up with all sorts of "apps" that are actually tracking/monitoring programs.

    Only while I'm using the apps. I'm on iOS, I choose what and when they can see anything related to what I am doing.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:The opposite is true by fbobraga · · Score: 1

      I'm on iOS

      Now I've got your thoughts... if you need security, open source software OS is not an option

  15. Fucking useless by Pinky's+Brain · · Score: 1

    Why is the server standard not also a W3C standard? Then maybe we would have EdDSA as required instead of recommended like in the FIDO2 clusterfuck.

  16. Nobody used the many by raymorris · · Score: 2

    We put several authentication options in the HTTP spec back in the 1990s. Some pretty secure, one was specifically marked as not secure. It was intended to be used the same way you'd use the latch on a bathroom stall. Of the three standards, the only one anyone ever used was trivial one, basic authentication. After that most people started coding their own really bad authentication schemes, often based on PHP sessions.

    Then came SAML. A lot of larger companies used SAML, for handing off users after they were originally authenticated by crap homemade authentication.

    Now we have an effort by the major companies to standardize on actually using a non-crap (but not perfect) protocol. There are plenty of other decent protocols you can use, but virtually nobody uses them. The problem isn't a lack of decent protocols. The problem is that nobody uses the decent protocols, either because they don't know about them or they think that it'll be easier to come up with some homemade crap. We'll see if this effort gets people actually using a non-crap design.

    1. Re:Nobody used the many by Anonymous Coward · · Score: 0

      Then came SAML. A lot of larger companies used SAML, for handing off users after they were originally authenticated by crap homemade authentication.

      SAML is authorization. It's got jack to do with topic at hand.

      Now we have an effort by the major companies to standardize on actually using a non-crap (but not perfect) protocol. There are plenty of other decent protocols you can use, but virtually nobody uses them.

      TLS is widely supported in production systems across the globe. You could use that like most sane corporations have been doing for a very long time.

      The problem isn't a lack of decent protocols. The problem is that nobody uses the decent protocols, either because they don't know about them or they think that it'll be easier to come up with some homemade crap. We'll see if this effort gets people actually using a non-crap design.

      No, the actual real issue is nobody gives a fuck about security. Handful of large public content companies pushing this shit are not doing so with aims to improve security. They are pushing it with aims to reduce administrative costs. The security angle is exclusively a public relations talking point.

    2. Re:Nobody used the many by grep+-v+'.*'+* · · Score: 1

      they think that it'll be easier to come up with some homemade crap. We'll see if this effort gets people actually using a non-crap design.

      But building new stuff is interesting and I already know exactly how it "works" -- reading books and RFPs is hard, and you have to think about it, and those guys are all just too stuffy and boring in the first place.

      I'm a programming literary giant -- like e. e. cummings, Robert Frost, and Katy Perry. *I* don't produce crap -- I produce architectures, masterpieces, just wonderful walls of code that make other people cry.

      --
      If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
    3. Re:Nobody used the many by RespekMyAthorati · · Score: 1

      You don't have orange hair do you?

  17. What about SQRL? by MycoMan · · Score: 5, Interesting

    Isn't this the best answer? Mr. Gibson's carefully thought out technology - and open.
    https://www.grc.com/sqrl/sqrl.htm

    1. Re: What about SQRL? by mu22le · · Score: 1

      I kind of like the idea but there are a few downsides:
      - They have no backing from large players, partly because of the project aversion to them.
        - No device -> no login. there is no way to login on an internet café if you lose your phone (unless you have a copy of your seed in your wallet and blindly trust the café). This is, again, partly because of the project aversion to big players playing the role of gatekeepers.
        - possibly patent encumbered. The project tries to handwave it away, but they should really pay a lawyer and they probably don't have the money.

  18. hi by Anonymous Coward · · Score: 0

    hi

  19. Yes, we have evidence they're a security threat by Anonymous Coward · · Score: 0

    By the way, do you have any evidence that Google/Apple are actually a security threat to you?

    Wow, is this a serious question?! Anyway, the correct (and obvious) answer is YES. We definitely have not only evidence that they're a security threat, but the evidence also happens to be ironclad proof. Yes, they definitely are a security threat to 100.0% certainty. With the evidence we have, there is absolutely no possibility at all, that they aren't a threat.

    The evidence is this: both companies use proprietary software and deploy that to the users. So the users are running things that they can't audit for safety. That kind of thing is always going to be an enormous threat to security. It's impossible to secure; you will never know whether you can trust iOS (bot the OS and the bundled apps), or Google's proprietary apps. (Theoretically, you can compiled an Android kernel from source, where it's at least possible to make sure that part it doesn't have malware, though I haven't heard of many people who actually do that. But you cannot compile Google Maps from source, because you don't have source.)

  20. WebAuthn is not fit for release by Srin+Tuar · · Score: 4, Interesting

    They rolled their own custom elliptic curve, amateurishly.

    They have mandatory support for weak/broken RSA modes.

    https://paragonie.com/blog/201...

    1. Re:WebAuthn is not fit for release by Pinky's+Brain · · Score: 1

      As long as your client/key doesn't use them it's not much of a problem (for you) that the server does.

  21. Re: Yes, we have evidence they're a security threa by Anonymous Coward · · Score: 0

    This sounds more like theory than practice.

    Who actually audits everything in a desktop Linux system end-to-end, including the hardware and the network?

  22. Obligatory by fbobraga · · Score: 1

    https://xkcd.com/927/