Standards group aims to put crypto controls into browsers to secure Web apps

W3C has early draft of specification for authentication standard that works across browser platforms, prevents phishing.
Written by John Fontana, Contributor

The World Wide Web Consortium (W3C) is working on the first draft of a standard specification designed to outfit browsers with hooks that support strong cryptographic credentials that secure access to a user's Web applications and eradicates phishing .

"This is an important step towards making unphishable privacy-preserving authentication available on the Web and reducing reliance on passwords," the W3C's Web Authentication (WebAuthn) Working Group said on its homepage.

The W3C is an international standards organization for the World Wide Web and its work is typically adopted by all the major Web browsers. WebAuthn is aimed at establishing a strong authentication standard across browser platforms.

The W3C's timing may just be right as passwords thefts and data dumps have ruled security news cycles as of late. Changes in authentication methods and end-user habits have been a tough nuts to crack in the industry, and the W3C is just the latest to take a shot with its browser-centric model.

Late last month, the W3C published the first working draft of its Web Authentication Specification (WebAuthn), and hopes to have another draft published in September that encompasses the specification's goals and is ready to send out for developer peer review.

The group's goals include removing the need for passwords, facilitating multi-factor authentication support, establishing hardware-based cryptographic key storage and enabling unique key pairs that prevent tracking of users across Web sites.

The Web Authentication specification includes designs for an application-programming interface (API) along with mechanisms for signatures and authenticity of the device that produces a user's cryptographic keys. All the cryptography would happen behind the scenes and be activated by a device known as an authenticator, which could be a hardware token or a smartphone.

The WebAuthn API would enable web pages to receive cryptographic credentials that are compliant with the WebAuthn specification. A user's authenticator would plug into their device, or they would use a smartphone that contains secure elements that act as an authenticator. The user would register a unique cryptographic credential with each Web site and subsequently would use the authenticator to provide consent for operations such as login. The user is in control of their credentials and keys, which facilitates their privacy.

The WebAuthn working group is working from a specification submitted in November by the FIDO Alliance based on its FIDO 2.0 work.

Currently, Google Chrome includes original FIDO Alliance authentication protocols. Chrome and Mozilla Firefox browsers are testing early versions of Web Authentication specification, while Microsoft's new Edge browser includes the early underpinnings of the Web Authentication model.

The WebAuthn group plans to use the W3C Document License for all its proposed standards.

Disclaimer: My primary employer is a member of the W3C and the FIDO Alliance.

Editorial standards