Major Browsers Back FIDO2 Tech For A Password-Free Web

Password-free web browsing has moved a step closer to reality with a move to advance an open standard for authentication devices toward its final form.

The World Wide Web Consortium (W3C) standards body said it has assigned the FIDO Alliance’s Web Authentication (WebAuthn) standard to Candidate Recommendation (CR) status, the stage before final approval.

The move means software and hardware providers can begin to implement the technology, which creates a standardised framework for authentication methods that are currently implemented by individual companies for their own devices or software.

The W3C said the specifications for WebAuthn and FIDO’s Client to Authenticator Protocol (CTAP) are available immediately, as are conformance test tools. FIDO said it would begin conformance testing soon.

Strong authentication

CTAP allows authentication devices such as a security key or a mobile phone to transfer credentials to an access device such as a computer or a phone over USB, Bluetooth or Near Field Communications (NFC).

Both are core parts of FIDO’s FIDO2 Project.

Major web software companies including Google, Microsoft and Mozilla are already working on WebAuthn implementations for the Chrome, Edge and Firefox browsers on multiple platforms, and have made a more formal commitment with this week’s announcement.

But to be useful the standard must also be supported broadly by web application developers and authentication device makers. The release of the near-final standard means those organisations can now also begin work on implementation.

FIDO2 is a hardware-centric specification that brings together multiple authentication types including biometrics like fingerprint, voice or facial recognition, USB tokens, smartcards and NFC devices.

Until now companies have had to invest in their own technology to support such techniques, with examples including  the fingerprint or facial recognition scanners built into newer smartphones.

Broader availability

The standard makes such technology openly available to anyone, potentially meaning those methods could become much more common.

“With the new FIDO2 specifications and leading web browser support announced today, we are taking a big step forward towards making FIDO Authentication ubiquitous across all platforms and devices,” stated FIDO Alliance executive director Brett McDowell .

He said shifting to the hardware-based techniques supported by FIDO2 could help protect users from increasingly common data breaches that exploit insecure passwords.

“Providing a password alternative that works across devices, apps, browsers, and websites delivers on our commitment to a future without passwords,” said Dave Bossio, group programme manager for operating system security at Microsoft.

Selena Deckelmann, senior director of engineering at Mozilla’s Firefox Runtime, said the technology would give users the option of adding “another layer of security” to their browsing experience.

The specifications and testing tools are available from the FIDO Alliance’s website.

Do you know all about security? Try our quiz!