Slashdot Mirror

← Back to Stories (view on slashdot.org)

W3C Approves WebAuthn as the Web Standard For Password-Free Logins (venturebeat.com)

Posted by msmash on from the marching-forward dept.

The World Wide Web Consortium (W3C) today declared that the Web Authentication API (WebAuthn) is now an official web standard. From a report: First announced by the W3C and the FIDO Alliance in February 2016, WebAuthn is now an open standard for password-free logins on the web. It is supported by W3C contributors, including Airbnb, Alibaba, Apple, Google, IBM, Intel, Microsoft, Mozilla, PayPal, SoftBank, Tencent, and Yubico. The specification lets users log into online accounts using biometrics, mobile devices, and/or FIDO security keys. WebAuthn is supported by Android and Windows 10. On the browser side, Google Chrome, Mozilla Firefox, and Microsoft Edge all added support last year. Apple has supported WebAuthn in preview versions of Safari since December.

13 of 55 comments (clear)

  1. Thanks, but no thanks by DogDude · · Score: 2, Insightful

    Use a *mobile device* for logging in somewhere? That seems like an extraordinarily bad idea. I wouldn't trust a mobile device for anything that requires security. They come already compromised by Google/Apple, and then most people load them up with all sorts of "apps" that are actually tracking/monitoring programs.

    I'm sure most people will love it.

    --
    I don't respond to AC's.
    1. Re:Thanks, but no thanks by AmiMoJo · · Score: 4, Interesting

      Most people use really bad passwords over and over for multiple sites. Thus being able to use their mobile device is a vast improvement to their security.

      By the way, do you have any evidence that Google/Apple are actually a security threat to you? For example, it seems like law enforcement is forced to spend hundreds of thousands of dollars to compromise phones because Google/Apple refuse to help them, so I'm wondering exactly what your threat model is.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:Thanks, but no thanks by Anonymous Coward · · Score: 2, Informative

      "For example, it seems like law enforcement is forced to spend hundreds of thousands of dollars to compromise phones because Google/Apple refuse to help them, so I'm wondering exactly what your threat model is."
       
      For a lot of people you just spelt it out. :) Different AC here and I don't find Apple refusing to unlock a phone a threat to me. I do find Google's tracking to be a threat though. Half the web is locked away if you refuse to play with Google. That is by design. I find the inability my phone to work with Google a threat. I mean I bought it from Samsung, why is Google controlling it. Why does Play keep asking to sync my contacts when I have said no many times but if I ever say yes it won't ask again. So yes, I feel threatened by Google because I know they are using what I do, say, who I relate to and with to make money or acquire power. Google should be broken up. We are of course talking about a company that was caught uploading 1GB a month of data from Aussie customers without telling them and tracking users even when location services have been turned off.

    3. Re: Thanks, but no thanks by Anonymous Coward · · Score: 2, Informative

      If you have to ask, that means you aren't invited.

  2. Something you have. by Anonymous Coward · · Score: 2, Insightful
    So instead of something you have / know / are - choose any two - it's now "Something you have." It's a great improvement over the atrociously insecure "We'll [collect your phone number for our database] and send a text to your cell phone [which might not even be your phone because SS7 is hopelessly insecure]" but killing the password entirely simply shifts the problem to how do you secure a bunch of Yubikeys?

    How do I, for example, log in using a CLI? How is this any different than, say, storing my private key in ~/.ssh? How do I, for that matter, do anything with this that doesn't involve a web browser?

    1. Re:Something you have. by moronoxyd · · Score: 3, Interesting

      So instead of something you have / know / are - choose any two - it's now "Something you have."

      WebAuthn is not a replacement for 2FA, but for password logins. So where before you only had "something you know" you can now chose between "something you have (FIDO key) / know (password) / are (biometrics)".

    2. Re:Something you have. by Meneth · · Score: 3, Informative

      Both of which are harder to replace when their server counterparts are deleted or leaked.

  3. Re:One or Many? by DontBeAMoran · · Score: 2

    So is there one standard or many?

    Yes.

    --
    #DeleteFacebook
  4. Sell your data to any bidder by stooo · · Score: 3, Insightful

    >> sell users' info the the highest bidder.

    Nope. They sell your data to any bidder. Why would they limit themselves to only one ?

    --
    aaaaaaa
  5. The opposite is true by SuperKendall · · Score: 2

    Use a *mobile device* for logging in somewhere? That seems like an extraordinarily bad idea. I wouldn't trust a mobile device for anything that requires security.

    That's kind of hilarious because the OPPOSITE is true. You are an idiot if you trust any desktop OS to truly secure material, with years of hidden security holes and apps not really that well sandboxed.

    I only deal with banks now through mobile apps if I can help it, because it is WAY more secure. I can control what updates go on my device, I can be far more sure that some random app cannot see what is going on with the banking app.

    most people load them up with all sorts of "apps" that are actually tracking/monitoring programs.

    Only while I'm using the apps. I'm on iOS, I choose what and when they can see anything related to what I am doing.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  6. Nobody used the many by raymorris · · Score: 2

    We put several authentication options in the HTTP spec back in the 1990s. Some pretty secure, one was specifically marked as not secure. It was intended to be used the same way you'd use the latch on a bathroom stall. Of the three standards, the only one anyone ever used was trivial one, basic authentication. After that most people started coding their own really bad authentication schemes, often based on PHP sessions.

    Then came SAML. A lot of larger companies used SAML, for handing off users after they were originally authenticated by crap homemade authentication.

    Now we have an effort by the major companies to standardize on actually using a non-crap (but not perfect) protocol. There are plenty of other decent protocols you can use, but virtually nobody uses them. The problem isn't a lack of decent protocols. The problem is that nobody uses the decent protocols, either because they don't know about them or they think that it'll be easier to come up with some homemade crap. We'll see if this effort gets people actually using a non-crap design.

  7. What about SQRL? by MycoMan · · Score: 5, Interesting

    Isn't this the best answer? Mr. Gibson's carefully thought out technology - and open.
    https://www.grc.com/sqrl/sqrl.htm

  8. WebAuthn is not fit for release by Srin+Tuar · · Score: 4, Interesting

    They rolled their own custom elliptic curve, amateurishly.

    They have mandatory support for weak/broken RSA modes.

    https://paragonie.com/blog/201...