W3C launches effort to replace passwords
The World Wide Web Consortium (W3C) is launching a new standards effort in web authentication that aims to offer a more secure and flexible alternative to password-based logins on the Web.
For many web users, passwords are annoying to use and offer weak protection for their interactions – they’re too often forgotten or set to easily-guessed combinations. Even strong passwords can be lost in data breaches or targeted in phishing attacks.
W3C’s new web authentication work, based upon the member submission of FIDO 2.0 Web APIs from the FIDO Alliance, will enable the use of strong cryptographic operations in place of password exchange.
Web authentication complements current W3C activities
According to W3C CEO Dr. Jeff Jaffe, the Web Authentication effort will complement prior W3C work on a Web Cryptography API, and on-going work on web application security specifications.
The WebCrypto API provides a Javascript API to a standard suite of cryptographic operations across browsers. Work in WebAppSec includes improvements to the HTTPS experience and updates to Content Security Policy, enabling application authors to set policy for what active content is permitted to run on their sites, protecting them against injection of unwanted or malicious code.
“We’ve seen much better authentication methods than passwords, yet too many web sites still use password-based logins. Standard Web APIs will make consistent implementations work across the web ecosystem. The new approach will replace passwords with more secure ways of logging into web sites, such as using a USB key or activating a smartphone,” said Wendy Seltzer, Technology and Society Domain Lead.
Why passwords are still important
Per Thorsheim, Independent Information Security Advisor and founder of PasswordsCon, is happy that the FIDO Alliance and W3C working together.
“I strongly believe that we don’t need more standards, we need fewer and better standards. I do wonder though if the number of compromised credentials over the past year is higher than cases of forgotten passwords. By this I once again highlight the fact that most compromises happen due to bad security at the service provider, not because of bad user passwords. Are we trying to solve a security problem, a UX problem, or both?” he commented for Help Net Security.
He also noted that, on the privacy and legal side of secure authentication, a new issue is becoming more visible every day: the right to remain silent in order to not incriminate yourself.
“If you get arrested in the US they will get your fingerprints, and they are legally allowed to use those to gain access to anywhere you are using fingerprint as your choice of authentication. Travelling across borders? Depending on where you come from and where you are going, you have to give up your fingerprints. Getting illegal access to your fingerprints? That’s already been shown on Mythbusters and demonstrated by the Chaos Computer Club a long time ago. If you have any electronics they can confiscate it, do forensics and use any evidence against you. If you have a FIDO Alliance compliant U2F hardware token with you, they can confiscate that token and use it to easily gain access to wherever you have used it,” he says.
But, as he pointed out, they cannot legally ask you to give up your password. “It is your last and probably still your most important line of defence.”
“Bottom line is simple: as long as they develop standards and tools that supplement and improve the security of a password I’m all for it. Just don’t take away my password please,” he added.