For many Web users, passwords are annoying to use and offer weak protection for their interactions -- they're too often forgotten or set to weak, and easily-guessed combinations. Even strong passwords can be lost in data breaches or targeted for replay in phishing attacks. W3C's new Web Authentication work, based upon the member submission of FIDO 2.0 Web APIs from the FIDO Alliance, will enable the use of strong cryptographic operations in place of password exchange.

"When strong authentication is easy to deploy, we make the Web safer for daily use, personal and commercial," said Sir Tim Berners-Lee, Web Inventor and W3C Director. "With the scope and frequency of attacks increasing, it is imperative for W3C to develop new standards and best practices for increased security on the Web."

Web Authentication Complements Current W3C Web Security Activities

According to W3C CEO Dr. Jeff Jaffe, the Web Authentication effort will complement prior W3C work on a Web Cryptography API, currently in Candidate Recommendation status, and on-going work on Web Application Security specifications. The WebCrypto API provides a Javascript API to a standard suite of cryptographic operations across browsers. Work in WebAppSec includes improvements to the HTTPS experience and updates to Content Security Policy (CSP), enabling application authors to set policy for what active content is permitted to run on their sites, protecting them against injection of unwanted or malicious code.

"Our goal is to raise the entire Open Web Platform to a higher standard of security and to collaborate with industry, academic experts, and other standards organizations to ensure that specific Web security needs are met," Jaffe said. "We invite broad participation to work together on this top priority to keep the Web as secure as possible today and in the foreseeable future."

Wendy Seltzer, Technology and Society Domain Lead, says she expects the new Web Authentication work to close an important gap in the Web platform. "We've seen much better authentication methods than passwords, yet too many Web sites still use password-based log-ins. Standard Web APIs will make consistent implementations work across the Web ecosystem. The new approach will replace passwords with more secure ways of logging into Web sites, such as using a USB key or activating a smartphone. Strong authentication is useful to any Web application that wants to maintain an ongoing relationship with users," Seltzer commented.

FIDO 2.0 Web APIs to Jumpstart Web Authentication Work

The W3C's Web Authentication technical work is being accelerated thanks to a W3C member submission of FIDO 2.0 Web APIs from members of the FIDO Alliance. The submitted APIs are intended to ensure standards-based strong authentication across all Web browsers and related Web platform infrastructure.

"Our mission is to revolutionize authentication on the Web through the development and global adoption of technical specifications that supplant the world's dependency on passwords with interoperable strong authentication," said Brett McDowell, executive director of the FIDO Alliance. "With W3C's acceptance of the FIDO 2.0 submission, and the chartering of this new Web Authentication Working Group, we are well on our way to accomplishing that mission."

The new Web Authentication Working Group's first meeting will take place 4 March 2016 in San Francisco, conveniently timed for people who are also attending the RSA USA Conference. All W3C standards activities take place in Working Groups that are open to participation by W3C members and provide public mailing lists and repositories for public comment.

"The developers and engineers involved in W3C's efforts to improve Web security are keenly aware of the need to upgrade protocols without breaking the Web that billions of people rely on," said Seltzer. "We very much encourage those interested in helping W3C to build a more secure Web to get involved."