No password? No worries! Two new standards aim to make logins an API experience

WebAuthn and CTAP published this week

A pair of authentication standards published this week have received endorsement from Mozilla, Microsoft and Google: the WebAuthn API, and the FIDO Alliance's Client-to-Authenticator Protocol.

The aim of WebAuthn and CTAP is to offer an authentication primitive that doesn't rely on server-stored passwords, since a user's fingerprint or even their unlock pattern is safer for both user and Web site owner.

Just before the WebAuthn API wrapped up after more than two years' work, the World Wide Web Consortium (W3C) last month asked developers to start work on their implementations.

In typically-opaque language, the W3C said WebAuthn is “an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users.”

WebAuthn sees a user agent store public key credentials. The API is designed so that access to those credentials is handled in a way that preserves user privacy.

Mozilla edict: 'Web-accessible' features need 'secure contexts'


For example, a user is authenticated against their credentials (like fingerprint) entirely on their client device: WebAuthn tells the Web application the user is authenticated, but doesn't send the credentials up to the server.

Credential protection is the job of “compliant authenticators” such as a trusted applet, TPMs (trusted platform modules) of SEs (secure elements) in the user's environment. External elements like USB, Bluetooth, and NFC devices can also store credentials.

As the W3C explains in its document, the user agent (such as, for example, a phone) should let users store logins under multiple identities in a WebAuthn-compliant implementation.

In welcoming the completion of the standard, the FIDO Alliance notes that the WebAuthn API standard is part of its FIDO2 project (which WebAuthn and CTAP completed).

FIDO's associated CTAP project sets down the detail of external authenticator behaviour (the Bluetooth, NFC and USB devices).

It covers the application protocol between the authenticator and the client, and the bindings of the protocol to different transport protocols (so, for example, the application developer doesn't have to write communications code for USB and Bluetooth from scratch).

The standardisation effort is also an important part of FIDO's goal of getting rid of passwords, since Web applications get a standard way to interact with biometric authentication in the same way as they would interact with a security key – and without passing the credentials upwards to the Web application.

As the FIDO announcement stated: “User credentials and biometric templates never leave the user’s device and are never stored on servers”. ®

Sponsored: What next after Netezza?


More from The Register

Firefox Preview, a new browser for Android from Mozilla

Firefox Preview for Android: Mozilla has another go at a mobile browser

Firefox Focus frozen as Mozilla redirects Android effort ... despite small market share

Today in tortured tech analogies: Mozilla lets Firefox loose in the hen house, and by hen house, we mean the tracking cookie jar, er...

Remember when people didn't use browsers from the one of world's biggest adtech giants?
Image by elroyspelbos

DoH! Mozilla assures UK minister that DNS-over-HTTPS won't be default in Firefox for Britons

As Reg readers will know, you'll have to click a few buttons first
red fox. pic by Shutterstock

This Free software ain't free to make, pal, it's expensive: Mozilla to bankroll Firefox with paid-for premium extras

Browser will remain gratis, optional $$-per-month services to be offered later this year

Mozilla Firefox to begin slow rollout of DNS-over-HTTPS by default at the end of the month

To protect query privacy, browser maker will run everything through Cloudflare
Chrome vs. Firefox

Mozilla says Firefox won't defang ad blockers – unlike a certain ad-giant browser

Extensions still free to use uber-powerful webRequest API to filter crap out of webpages
Google, photo by lightpoet via Shutterstock

Mozilla returns crypto-signed website packaging spec to sender – yes, it's Google

Ad giant's site slurping tech complicates web security model, could give more power to search engines and social networks, Firefox maker warns
Well done, everyone

Finally. Thanks so much, nerds. Google, Apple, Mozilla end government* internet spying for good

* Terms and conditions apply. Offer not valid outside Kazakhstan. Your home may be repossessed if you do not keep up payments

Biting the hand that feeds IT © 1998–2019