Today, the World Wide Web Consortium (W3C), the organization behind all web standards, has formally promoted the Web Authentication API to the title of official web standard.
This promotion means the Web Authentication API –more commonly referred to as WebAuthn– has now reached a stable version and can be implemented and rolled out by websites in its current form, without fear of future breaking changes.
WebAuthn is what security experts are calling a passwordless authentication system and what they see as the future of user account security.
WebAuthn allows users to register and authenticate on websites or mobile apps using an “authenticator” instead of a password.
The “authenticator” can be a hardware security key that the user has connected to his computer or a biometric ID that can be acquired from the PC or smartphone’s sensors –such as fingerprints, face scans, iris scans, and others.
Development on the WebAuthn standard started back in November 2015, after the FIDO (Fast IDentity Online) Alliance donated the FIDO 2.0 specifications to the W3C.
A previous FIDO Alliance specification, FIDO U2F, is already supported by browsers and online services. It’s what currently allows users to use secret tokens stored on YubiKey USB thumb drives (aka hardware security keys) to log into websites such as Google, Facebook, Dropbox, AWS, GitHub, YouTube, and others.
The WebAuthn API is an upgrade of FIDO U2F and will support a multitude of other authentication systems besides USB-stored security keys –including biometrics.
Besides W3C and browser makers, the FIDO Alliance has also greatly contributed to the new WebAuthn standard.
The FIDO Alliance is an industry consortium that includes some of the tech world’s largest companies. The FIDO Alliance’s main mission is to create interoperable authentication methods and standards fit for the future of technology and move users and devices away from using antiquated passwords-based login systems.
“Now is the time for web services and businesses to adopt WebAuthn to move beyond vulnerable passwords and help web users improve the security of their online experiences,” said Jeff Jaffe, W3C CEO.