Three major browser makers —Google, Microsoft, and Mozilla—have put their official backing behind a new W3C API called Web Authentication (WebAuthn) that is advertised as a reliable alternative to passwordless online authentication.
The new API will enable users to log into web apps and websites using other authentication methods besides passwords, the system used by all websites today. This includes hardware security keys, fingerprints, facial recognition, iris scans, and other biometrics solutions.
Google, Microsoft, and Mozilla have said they plan to support the new WebAuthn API inside Chrome, Edge, and Firefox, respectively. Support for WebAuthn has been announced for Chrome 67 and Firefox 60.
Work on this new W3C (World Wide Web Consortium) API started back in November 2015, when the FIDO (Fast IDentity Online) Alliance donated the FIDO 2.0 Web API to the W3C.
Newer versions of the old FIDO 2.0 Web API is what currently allows users to log into Google, Facebook, Dropbox, GitHub, and more using secret tokens stored on YubiKey USB thumb drives (aka hardware security keys).
The WebAuthn API will work similarly to the FIDO 2.0 Web API, only that it will support a multitude of authentication systems besides USB-stored security keys.
But besides WebAuthn, the API that will be implemented inside browsers, responsible for interfacing with remote websites, the FIDO Alliance also announced today the Client to Authenticator Protocol (CTAP).
CTAP is a companion to the W3C WebAuthn API, and its main role is to connect the browser to the third-party authentication system, such as the NFC/USB security key, or a laptop/smartphone's underlying fingerprint sensor, to receive the proof of authentication.
Both APIs will need to work together for this new safer authentication scheme to work.
According to the W3C and FIDO experts, the biggest win is for users, who'll now be impervious to phishing, man-in-the-middle, and authentication replay attacks that use stolen passwords.
But besides users, WebAuthn is also a blessing in disguise for website owners, who instead of having to deal with complex authentication procedures and storing user passwords on secure servers, they'll be able to defer the authentication procedure to an API embedded inside browsers and third-party hardware/systems.