The new WebAuthn standard is coming to the web as the W3C is working to bring the latest generation of the FIDO strong authentication specifications forward into the standards realm.
The FIDO (Fast Identity Online) Alliance has been building strong authentication specifications including the Universal Second Factor (U2) and Universal Authentication Framework (UAF) since 2012. With the W3C, FIDO is evolving its FIDO2 specification to become an official web standard that will be supported by all the major web browsers.
“The W3C’s Web Authentication Working Group is responsible for defining the Web API to strong authentication, so we started with a submission from FIDO and worked to address the feedback from implementors such as web browsers and additional participants and reviewers,” Wendy Seltzer, W3C strategy lead, told eWEEK.
The FIDO Alliance finalized its first set of strong authentication specifications in December 2014 with the U2F and UAF 1.0 releases. The early promise of the specifications was to enable secure authentication that goes beyond the basic username and password paradigm to provide stronger authentication options including two-factor and biometrics. Among the early backers of the U2F 1.0 specification was Google, which implemented support for FIDO into Chrome back in 2014 as well.
“By partnering with W3C to standardize FIDO Authentication for the entire web platform, the FIDO ecosystem grows by more than just one or two leading web browsers,” Brett McDowell, executive director of the FIDO Alliance, told eWEEK. “We expect to benefit from the entire community of web browsers and web application servers supporting the standard. W3C is simply where the web community produces their standards, so it was more practical to work on this set of web technologies in that forum.”
FIDO2
The W3C WebAuthn standards effort involves the FIDO2 specification project, which is a next generation of the U2F and UAF specifications that have been in the market since 2014.
McDowell said that if you look at the use cases that U2F/UAF standards enabled, then FIDO2 represents a new set of specifications that enable the superset of those use cases. That said, he noted that the technical specifications are in fact a bit different in one important way: FIDO2 was designed from day one to be implemented by platforms.
“The FIDO2 Project is a set of interlocking initiatives that together create a FIDO Authentication standard for platforms such as the web and native operating systems,” McDowell said. “By optimizing FIDO Authentication for platform implementation, we greatly expand the FIDO ecosystem as browsers and operating systems push out updates to billions of devices.”
CTAP
The U2F protocol that FIDO first released back in 2014 is now part of Client to Authenticator Protocols (CTAP) specification set and is now referred to as CTAP1 . McDowell said that CTAP2 is the new protocol that accommodates an expanded set of capabilities in next generation external authenticators.
“With CTAP1/U2F, the external authenticator was only expected to be able to provide the second factor of authentication,” he said. “That meant a CTAP1/U2F solution needed to get its first factor of authentication the old fashion way, with a match-on-server password.”
With CTAP2, the external authenticator can provide both factors of authentication, not just one, according to McDowell. The next-generation external authentication devices will be able to accommodate a biometric or PIN unlock mechanism to add a second factor that is matched on-device, not in the cloud.
“In this way, a CTAP2 authenticator removes the previous implicit dependency on legacy passwords,” he said.
There is already a large ecosystem of vendors and users of FIDO-compliant devices. but that market will be even larger with WebAuthn. To prepare the market to take full advantage of the growth in the addressable market of FIDO-enabled devices, McDowell said the FIDO Alliance is providing testing tools and launching certification programs for FIDO2 specifications (CTAP + WebAuthn).
“FIDO technology providers will be introducing FIDO Certified Universal Servers that support FIDO2 and all prior UAF and U2F devices, enabling full backwards compatibility for all previously certified FIDO authenticators,” McDowell said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.