W3C finalizes Web Authentication (WebAuthn) standard

WebAuthn is already support on Windows 10, Android, Chrome, Edge, Firefox, and soon on Safari.

From passwords to biometrics: How far are we willing to go? Getting rid of passwords is a good idea, but we need to think through the consequences of the most likely replacement, too. Read more: https://zd.net/2Oj7xvX

Today, the World Wide Web Consortium (W3C), the organization behind all web standards, has formally promoted the Web Authentication API to the title of official web standard.

This promotion means the Web Authentication API --more commonly referred to as WebAuthn-- has now reached a stable version and can be implemented and rolled out by websites in its current form, without fear of future breaking changes.

The standard is already supported in browsers like Google Chrome, Edge, and Firefox, and the preview version of Apple's Safari. It is also supported on Android and Windows 10.

WebAuthn is what security experts are calling a passwordless authentication system and what they see as the future of user account security.

WebAuthn allows users to register and authenticate on websites or mobile apps using an "authenticator" instead of a password.

The "authenticator" can be a hardware security key that the user has connected to his computer or a biometric ID that can be acquired from the PC or smartphone's sensors --such as fingerprints, face scans, iris scans, and others.

Development on the WebAuthn standard started back in November 2015, after the FIDO (Fast IDentity Online) Alliance donated the FIDO 2.0 specifications to the W3C.

A previous FIDO Alliance specification, FIDO U2F, is already supported by browsers and online services. It's what currently allows users to use secret tokens stored on YubiKey USB thumb drives (aka hardware security keys) to log into websites such as Google, Facebook, Dropbox, AWS, GitHub, YouTube, and others.

The WebAuthn API is an upgrade of FIDO U2F and will support a multitude of other authentication systems besides USB-stored security keys --including biometrics.

Besides W3C and browser makers, the FIDO Alliance has also greatly contributed to the new WebAuthn standard.

The FIDO Alliance is an industry consortium that includes some of the tech world's largest companies. The FIDO Alliance's main mission is to create interoperable authentication methods and standards fit for the future of technology and move users and devices away from using antiquated passwords-based login systems.

"Now is the time for web services and businesses to adopt WebAuthn to move beyond vulnerable passwords and help web users improve the security of their online experiences," said Jeff Jaffe, W3C CEO.

Article updated to clarify differences between WebAuthn and FIDO U2F.

More browser coverage: