Hello Mi Fans,
Passwords have become major irritants both for users and for the security teams that have to support them. Remembering credentials for dozens of sites is difficult, so many people tend to reuse passwords on multiple sites, meaning that if a password is stolen or compromised in a data breach, many separate accounts could be jeopardized. There have been a number of different efforts to address this problem, from password managers to biometrics, but none has become the one overarching solution to the problem.
In an era of data breaches and dumps, it has become crucial to shift to a new paradigm that doesn’t depend on passwords for using internet services. To offer stronger authentication all over the web, the FIDO Alliance and the World Wide Web Consortium (W3C) are launching a new standard called Web Authentication -WebAuthn
WebAuthn is a process to define the standards of a Web API which can be incorporated in the browsers and web platform infrastructures to provide the new methods to securely authenticate the web with the help of browsers and devices. The Web Authentication (WebAuthn) standard is designed to replace the password with biometrics and devices that users already own, such as a security key, a smartphone, a fingerprint scanner or webcam.
Instead of having to remember an increasingly long string of characters, users can authenticate their login with their body or something they have in their possession, communicating directly with the website via Bluetooth, USB or NFC.
“WebAuthn will change the way that people access the Web,” said Jeff Jaffe, chief executive of the World Wide Web Consortium (W3C), the body that controls web standards.
WebAuthn is developed by W3C with the coordination with FIDO Alliance and it is a primary part of the FIDO 2 project along with the FIDO’s Client to Authenticator Protocol (CTAP) specification. CTAP functions when the external authenticator communicates with the user’s internet device. External authenticator like a mobile phone has to communicate using strong credentials locally with the user’s internet device. FIDO 2 project enables the users to authenticate the online services with mobile devices or desktop with the enhanced phishing resistant security.
Instead of entering passwords, WebAuthn allows users to sign in using a fingerprint, retina scan, other biometric data stored in a smartphone, and even using a hardware key plugged into your laptop or a dedicated app. While it is already available to users, browser makers’ support will bring a major breakthrough, pushing for a password-free internet.
One example of how WebAuthn will work is that when a user visits a site they want to log into, they input a user name and then get an alert on their smartphone. Tapping on the alert on their phone then logs them into the website without the need for a password.
WebAuthn promises to protect users against phishing attacks and the use of stolen credentials as there will be nothing to steal, the authentication token is generated and used once by their specific device each time the user logs in.
WebAuthn should also help people use unique login details for each and every service they use, instead of using the same login and password for every site, which many people still do leaving them vulnerable to further attacks if one site is hacked.
“After years of increasingly severe data breaches and password credential theft, now is the time for service providers to end their dependency on vulnerable passwords and one-time-passcodes and adopt phishing-resistant FIDO Authentication for all websites and applications.” says Brett McDowell, executive director of the FIDO Alliance.
Simpler authentication: users simply log in with a single gesture using:
Stronger authentication: FIDO Authentication is much stronger than relying only on passwords and related forms of authentication, and has these advantages:
Google, Mozilla, and Microsoft have started to support the WebAuthn standard in their browsers and have started implementation for the Windows, Linux, Chrome and Mac platforms. Both the CTAP and WebAuthn specifications are available today which will enable the developers to build the support for the next generation of FIDO authentication into their products.
Online services and enterprises who are looking to protect themselves and their customers which involves the risks related to the passwords which include phishing, stolen credentials, and several attacks can soon start using standard authentication process that will work through browser or external authenticator. So, deploying the FIDO Authenticator can enable the users to choose the users accessing through various devices.
The standards of the FIDO 2 project will reach out across the globe and many companies have taken an oath to start implementing the FIDO authenticator in their browsers and operating system. Simultaneously, FIDO will also launch the certificates to the servers and authenticators who are adhering to the FIDO standards.
Though this does not mean an immediate or even a near-future end of passwords, this is one of the first tangible steps towards an Internet standard being implemented for a future
How Do You feel About Ditching Password and Welcoming this new Web Standard?
Image source: Google
In order to fulfill the basic functions of our service, the user hereby agrees to allow Xiaomi to collect, process and use personal information which shall include but not be limited to written threads, pictures, comments, replies in the Mi Community, and relevant data types listed in Xiaomi's Private Policy. By selecting "Agree", you agree to Xiaomi's Private Policy and Content Policy .