Slashdot Mirror

← Back to Stories (view on slashdot.org)

W3C Approves WebAuthn as the Web Standard For Password-Free Logins (venturebeat.com)

Posted by msmash on from the marching-forward dept.

The World Wide Web Consortium (W3C) today declared that the Web Authentication API (WebAuthn) is now an official web standard. From a report: First announced by the W3C and the FIDO Alliance in February 2016, WebAuthn is now an open standard for password-free logins on the web. It is supported by W3C contributors, including Airbnb, Alibaba, Apple, Google, IBM, Intel, Microsoft, Mozilla, PayPal, SoftBank, Tencent, and Yubico. The specification lets users log into online accounts using biometrics, mobile devices, and/or FIDO security keys. WebAuthn is supported by Android and Windows 10. On the browser side, Google Chrome, Mozilla Firefox, and Microsoft Edge all added support last year. Apple has supported WebAuthn in preview versions of Safari since December.

5 of 55 comments (clear)

  1. Re:Something you have. by moronoxyd · · Score: 3, Interesting

    So instead of something you have / know / are - choose any two - it's now "Something you have."

    WebAuthn is not a replacement for 2FA, but for password logins. So where before you only had "something you know" you can now chose between "something you have (FIDO key) / know (password) / are (biometrics)".

  2. Re:Thanks, but no thanks by AmiMoJo · · Score: 4, Interesting

    Most people use really bad passwords over and over for multiple sites. Thus being able to use their mobile device is a vast improvement to their security.

    By the way, do you have any evidence that Google/Apple are actually a security threat to you? For example, it seems like law enforcement is forced to spend hundreds of thousands of dollars to compromise phones because Google/Apple refuse to help them, so I'm wondering exactly what your threat model is.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  3. What about SQRL? by MycoMan · · Score: 5, Interesting

    Isn't this the best answer? Mr. Gibson's carefully thought out technology - and open.
    https://www.grc.com/sqrl/sqrl.htm

  4. WebAuthn is not fit for release by Srin+Tuar · · Score: 4, Interesting

    They rolled their own custom elliptic curve, amateurishly.

    They have mandatory support for weak/broken RSA modes.

    https://paragonie.com/blog/201...

  5. Re:Sell your data to any bidder by AmiMoJo · · Score: 1, Interesting

    How does one access these user data auctions? Presumably they are wide open to everyone, in order to maximize profit.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC