Password unnecessary login method 'WebAuthn' becomes web standard

The World Wide Web Consortium (W3C) , which promotes the standardization of various technologies used in the World Wide Web , decided to use a password-free login method " Web Authentication (WebAuthn) " as a new web standard login method . As a result, many web browsers and web services are expected to correspond to authentication methods that do not use passwords.

W3C and FIDO Alliance Finalize Web Standard for Secure, Passwordless Logins - FIDO Alliance
https://fidoalliance.org/w3c-and-fido-alliance-finalize-web-standard-for-secure-passwordless-logins/

W3C finalizes Web Authentication (WebAuthn) standard | ZDNet
https://www.zdnet.com/article/w3c-finalizes-web-authentication-webauthn-standard/

W3C approves WebAuthn as the web standard for password-free logins | VentureBeat
https://venturebeat.com/2019/03/04/w3c-approves-webauthn-as-the-web-standard-for-password-free-logins/

Many web services use user name, e-mail address and password input for user authentication. However, with this method, problems such as using a dangerous password such as "123456" or using a password with multiple services can occur, but it is also very troublesome to manage multiple passwords It is a thing that takes.

Therefore, FIDO Alliance and W3C, which are non-profit standardization bodies aiming to standardize new online authentication technology, have promoted the standardization of new online authentication technology called WebAuthn. WebAuthn is a specification that performs user authentication by a password-independent method, and users can log in to services using biometrics such as fingerprint authentication and face authentication, mobile devices, security key devices such as " YubiKey ", etc. I will.

WebAuthn has already been supported in OS and web browsers such as Windows 10, Android, Google Chrome, Mozilla Firefox, Microsoft Edge, and Apple's Safari also supported WebAuthn in the preview version released in December 2018. With regard to web service, Dropbox, Facebook, GitHub, Twitter and others are already compatible with WebAuthn, and it is considered that W3C decides WebAuthn to be the web standard, and will respond to other web services as well.

You can see how WebAuthn becomes a user authentication method by looking at the following movie.

Go Beyond Passwords with WebAuthn


Many web services use user name and password input at login to authenticate users.

However, WebAuthn newly standardized by W3C is an authentication method that does not use a password.

WebAuthn uses fingerprint authentication, PIN code, security key device and so on.

Insert a physical key into the USB port ... ...

User authentication can be performed by operation such as placing your finger on the fingerprint authentication sensor of the device. For example, when you register a fingerprint on a client device, a public key and a private key corresponding to that fingerprint are created, and the public key is stored on the server of the service. The secret key is stored on the device and it does not leak to the outside, and when authenticating the user, after confirming the identity by a method such as fingerprint authentication or physical key authentication, the secret key is signed with the secret key and sent back to the server of the service It is said that.

WebAuthn is also standardized in mobile browsers and services.

81% of the data leakage seems to be caused by using an easy-to-guess password or a password being stolen, so the time for the user to enter the password and reset the password also is year When it thinks on a unit basis it will be considerable. Jeff Jaffe, CEO of W3C, said: "Web services and companies need to deal with better WebAuthn than weak authentication methods using passwords and improve user security and usability." It was.

Even though W3C made recommendations for web standardization, it is left to individual suppliers and services whether to follow the recommendation or not. Still, companies like Airbnb, Alibaba, Apple, Google, IBM, Intel, Microsoft, Mozilla, PayPal and SoftBank that support W3C have many shares in the world, so many web browsers and web services will be It is expected to change the system so that users can use WebAuthn when logging in.