No password? No worries! Two new standards aim to make logins an API experience

A pair of authentication standards published this week have received endorsement from Mozilla, Microsoft and Google: the WebAuthn API, and the FIDO Alliance's Client-to-Authenticator Protocol.

The aim of WebAuthn and CTAP is to offer an authentication primitive that doesn't rely on server-stored passwords, since a user's fingerprint or even their unlock pattern is safer for both user and Web site owner.

Just before the WebAuthn API wrapped up after more than two years' work, the World Wide Web Consortium (W3C) last month asked developers to start work on their implementations.

In typically-opaque language, the W3C said WebAuthn is “an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users.”

WebAuthn sees a user agent store public key credentials. The API is designed so that access to those credentials is handled in a way that preserves user privacy.

For example, a user is authenticated against their credentials (like fingerprint) entirely on their client device: WebAuthn tells the Web application the user is authenticated, but doesn't send the credentials up to the server.

Credential protection is the job of “compliant authenticators” such as a trusted applet, TPMs (trusted platform modules) of SEs (secure elements) in the user's environment. External elements like USB, Bluetooth, and NFC devices can also store credentials.

As the W3C explains in its document, the user agent (such as, for example, a phone) should let users store logins under multiple identities in a WebAuthn-compliant implementation.

In welcoming the completion of the standard, the FIDO Alliance notes that the WebAuthn API standard is part of its FIDO2 project (which WebAuthn and CTAP completed).

FIDO's associated CTAP project sets down the detail of external authenticator behaviour (the Bluetooth, NFC and USB devices).

It covers the application protocol between the authenticator and the client, and the bindings of the protocol to different transport protocols (so, for example, the application developer doesn't have to write communications code for USB and Bluetooth from scratch).

The standardisation effort is also an important part of FIDO's goal of getting rid of passwords, since Web applications get a standard way to interact with biometric authentication in the same way as they would interact with a security key – and without passing the credentials upwards to the Web application.

As the FIDO announcement stated: “User credentials and biometric templates never leave the user’s device and are never stored on servers”. ®