Phish Fight

Web Consortium Addresses “the World’s Password Problem”

The Internet is great. Passwords are lousy. Current web authentication methods have become somewhat cumbersome, but what’s worse is that they’ve enabled evil-doers to manipulate even experienced users into revealing their usernames and passwords.

This week, the World Wide Web Consortium, the organization behind most webpage standards, introduced the Web Authentication API as an official specification. Known as WebAuthn, the tool allows users to verify their access using an authenticator instead of a password. It aims to make passwordless authentication the future of account security.

Passwords have long been recognized as a weak link in the security of web services. Development for the WebAuthn standard started in November 2015, after the FIDO Alliance — FIDO stands for Fast IDentity Online — donated the FIDO 2.0 API to the web consortium. The FIDO Alliance counts some of the biggest names in the technology world as members, for example, Alibaba, Amazon, Arm, Google, Microsoft and Samsung. Other participants also include businesses that rely on the web for delivering services, such as major insurance firms, credit card providers, banks and financial services companies.

The main aim of this project was to create interoperable authentication methods and standards, and move away from antiquated password-based login systems. Passwords aren’t just a security problem, but also a usability frustration. Two-step authentication, a method that tackles the weaknesses of static passwords by creating another step in authentication procedures, has led to more complexity in many cases.

WebAuthn is a component of the FIDO2 standard, which supports public key cryptography and multifactor authentication — the Universal Authentication Framework and Universal Second Factor protocols. The FIDO Alliance offers testing tools and a certification program for service providers and suppliers ready to get started with FIDO2 specifications, as well as support for different browsers and platforms.

FIDO authentication starts locally between users and devices using a PIN or biometric, which lowers the possibility of a remote attack. A private key is generated on the device, and it’s used to communicate with an authenticator which then verifies the user.

WebAuthn is already supported by all major browsers including Google Chrome, Microsoft Edge, Firefox and Apple’s Safari, and works on PC and mobile operating systems. Prior to being recognized as a standard, a version of the specification had already been implemented on sites such as Dropbox, Facebook, GitHub, Salesforce, Stripe and Twitter. Now that WebAuthn is an official standard, it’s likely that many other sites will implement it, leading to more passwordless logins on the Internet.

The goal of the FIDO Alliance has been to eliminate passwords everywhere. In a press release, the group highlights studies showing that 81% of IT security breaches are caused by the use of weak or stolen passwords, often obtained through a phishing attack in which a user is tricked into revealing their login credentials. While such attempts can be obvious and clumsy, others can be very crafty. According to researchers, one in 14 web users have been tricked into following a malicious link or opening an attachment. This includes both private and enterprise users. The World Economic Forum estimates that cybercrime currently costs the global economy $445 billion a year.

The wide implementation of WebAuthn is a positive step that supports more secure Internet usage. Web service providers, wireless carriers and any company looking to create trust is almost certainly evaluating the approach. This could turn out to be a good phishing story.