20 October 2017
Register now

W3C accelerates Web authentication work

17 February 2016  |  2953 views  |  0 Source: World Wide Web Consortium

Recognising the critical role of strong authentication in securing the Web experience for everyone, the World Wide Web Consortium (W3C) announced today that it is launching a new standards effort in Web Authentication that will offer a more secure and flexible alternative to password-based log-ins on the Web.

For many Web users, passwords are annoying to use and offer weak protection for their interactions -- they're too often forgotten or set to weak, and easily-guessed combinations. Even strong passwords can be lost in data breaches or targeted for replay in phishing attacks. W3C's new Web Authentication work, based upon the member submission of FIDO 2.0 Web APIs from the FIDO Alliance, will enable the use of strong cryptographic operations in place of password exchange.

"When strong authentication is easy to deploy, we make the Web safer for daily use, personal and commercial," said Sir Tim Berners-Lee, Web Inventor and W3C Director. "With the scope and frequency of attacks increasing, it is imperative for W3C to develop new standards and best practices for increased security on the Web."

Web Authentication Complements Current W3C Web Security Activities

According to W3C CEO Dr. Jeff Jaffe, the Web Authentication effort will complement prior W3C work on a Web Cryptography API, currently in Candidate Recommendation status, and on-going work on Web Application Security specifications. The WebCrypto API provides a Javascript API to a standard suite of cryptographic operations across browsers. Work in WebAppSec includes improvements to the HTTPS experience and updates to Content Security Policy (CSP), enabling application authors to set policy for what active content is permitted to run on their sites, protecting them against injection of unwanted or malicious code.

"Our goal is to raise the entire Open Web Platform to a higher standard of security and to collaborate with industry, academic experts, and other standards organizations to ensure that specific Web security needs are met," Jaffe said. "We invite broad participation to work together on this top priority to keep the Web as secure as possible today and in the foreseeable future."

Wendy Seltzer, Technology and Society Domain Lead, says she expects the new Web Authentication work to close an important gap in the Web platform. "We've seen much better authentication methods than passwords, yet too many Web sites still use password-based log-ins. Standard Web APIs will make consistent implementations work across the Web ecosystem. The new approach will replace passwords with more secure ways of logging into Web sites, such as using a USB key or activating a smartphone. Strong authentication is useful to any Web application that wants to maintain an ongoing relationship with users," Seltzer commented.

FIDO 2.0 Web APIs to Jumpstart Web Authentication Work

The W3C's Web Authentication technical work is being accelerated thanks to a W3C member submission of FIDO 2.0 Web APIs from members of the FIDO Alliance. The submitted APIs are intended to ensure standards-based strong authentication across all Web browsers and related Web platform infrastructure.

"Our mission is to revolutionize authentication on the Web through the development and global adoption of technical specifications that supplant the world's dependency on passwords with interoperable strong authentication," said Brett McDowell, executive director of the FIDO Alliance. "With W3C's acceptance of the FIDO 2.0 submission, and the chartering of this new Web Authentication Working Group, we are well on our way to accomplishing that mission."

The new Web Authentication Working Group's first meeting will take place 4 March 2016 in San Francisco, conveniently timed for people who are also attending the RSA USA Conference. All W3C standards activities take place in Working Groups that are open to participation by W3C members and provide public mailing lists and repositories for public comment.

"The developers and engineers involved in W3C's efforts to improve Web security are keenly aware of the need to upgrade protocols without breaking the Web that billions of people rely on," said Seltzer. "We very much encourage those interested in helping W3C to build a more secure Web to get involved."

Comments: (0)

Comment on this story (membership required)

Related blogs

Create a blog about this story (membership required)
visit www.fivedegrees.nlvisit www.capgemini.com

Top topics

Most viewed Most shared
satelliteGates Foundation backs Ripple collaboratio...
8420 views comments | 13 tweets | 10 linkedin
HSBC partners Bud for open banking trialHSBC partners Bud for open banking trial
8259 views comments | 21 tweets | 26 linkedin
IBM uses blockchain to improve cross-border payments processingIBM uses blockchain to improve cross-borde...
7400 views comments | 9 tweets | 17 linkedin
Sibos 2017: API or the highwaySibos 2017: API or the highway
6788 views comments | 10 tweets | 21 linkedin
Eight banks form joint venture to launch blockchain trade platformEight banks form joint venture to launch b...
6444 views comments | 14 tweets | 23 linkedin

Featured job

to £70K base, £105K ote, benefits
London, UK

Find your next job