Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
The Internet Technology

W3C Approves WebAuthn as the Web Standard For Password-Free Logins (venturebeat.com) 55

The World Wide Web Consortium (W3C) today declared that the Web Authentication API (WebAuthn) is now an official web standard. From a report: First announced by the W3C and the FIDO Alliance in February 2016, WebAuthn is now an open standard for password-free logins on the web. It is supported by W3C contributors, including Airbnb, Alibaba, Apple, Google, IBM, Intel, Microsoft, Mozilla, PayPal, SoftBank, Tencent, and Yubico. The specification lets users log into online accounts using biometrics, mobile devices, and/or FIDO security keys. WebAuthn is supported by Android and Windows 10. On the browser side, Google Chrome, Mozilla Firefox, and Microsoft Edge all added support last year. Apple has supported WebAuthn in preview versions of Safari since December.
This discussion has been archived. No new comments can be posted.

W3C Approves WebAuthn as the Web Standard For Password-Free Logins

Comments Filter:
  • by DogDude ( 805747 )
    Use a *mobile device* for logging in somewhere? That seems like an extraordinarily bad idea. I wouldn't trust a mobile device for anything that requires security. They come already compromised by Google/Apple, and then most people load them up with all sorts of "apps" that are actually tracking/monitoring programs.

    I'm sure most people will love it.
    • by AmiMoJo ( 196126 ) on Monday March 04, 2019 @10:27AM (#58212864) Homepage Journal

      Most people use really bad passwords over and over for multiple sites. Thus being able to use their mobile device is a vast improvement to their security.

      By the way, do you have any evidence that Google/Apple are actually a security threat to you? For example, it seems like law enforcement is forced to spend hundreds of thousands of dollars to compromise phones because Google/Apple refuse to help them, so I'm wondering exactly what your threat model is.

      • by DogDude ( 805747 )
        I don't think that Google and Apple have any interest in helping law enforcement. What they do do is sell users' info the the highest bidder. The danger comes from either somebody directly purchasing personal info, or just from somebody malicious getting their hands on the tons and tons of marketing info that's already being sold.

        I agree that if most people are using weak passwords everywhere, it'd be an improvement, but for those of us who take security seriously, it's a non-starter. (I don't use a "s
        • by AmiMoJo ( 196126 )

          What they do do is sell users' info the the highest bidder

          That too has been debunked. It doesn't even pass the sniff test - why would they sell their most valuable asset, the thing that the value of their advertising services derives from?

          Obviously if you have any evidence showing that they have in fact sold personal info I'd very much like to see it, so I can file a GDPR complaint against them. Because it's illegal in the EU.

        • by stooo ( 2202012 ) on Monday March 04, 2019 @11:23AM (#58213196) Homepage

          >> sell users' info the the highest bidder.

          Nope. They sell your data to any bidder. Why would they limit themselves to only one ?

          • Re: (Score:2, Interesting)

            by AmiMoJo ( 196126 )

            How does one access these user data auctions? Presumably they are wide open to everyone, in order to maximize profit.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        "For example, it seems like law enforcement is forced to spend hundreds of thousands of dollars to compromise phones because Google/Apple refuse to help them, so I'm wondering exactly what your threat model is."

        For a lot of people you just spelt it out. :) Different AC here and I don't find Apple refusing to unlock a phone a threat to me. I do find Google's tracking to be a threat though. Half the web is locked away if you refuse to play with Google. That is by design. I find the inability my phone

      • Most people use really bad passwords over and over for multiple sites. Thus being able to use their mobile device is a vast improvement to their security.

        The vector actually being exploited in the real world is the user. This is addressable by deployment of secure authentication protocols which protect users from themselves.

        Throwing up new barriers that either have a negative impact on security (Automated password/device reset/recovery) or increase annoyance and risk of nuisance lockout... (my device broke and I can't login anymore) are not helpful to real people. They are simply annoying and pointless.

        Fixing actual problems with password authentication by

    • Use a *mobile device* for logging in somewhere? That seems like an extraordinarily bad idea. I wouldn't trust a mobile device for anything that requires security.

      That's kind of hilarious because the OPPOSITE is true. You are an idiot if you trust any desktop OS to truly secure material, with years of hidden security holes and apps not really that well sandboxed.

      I only deal with banks now through mobile apps if I can help it, because it is WAY more secure. I can control what updates go on my device, I can

      • I'm on iOS

        Now I've got your thoughts... if you need security, open source software OS is not an option

  • Re: (Score:2, Funny)

    Comment removed based on user account deletion
  • by Anonymous Coward

    "using biometrics"
    I sure have no such hardware, nor any want to use one...

    "mobile devices"
    Would never use a surveillance device, and neither would any sane person.

    "FIDO security keys"
    I haven't the faintest idea what this even is. Fidonet?

  • "W3C Approves WebAuthn as the Web Standard For Password-Free Logins"

    "WebAuthn is now an open standard for password-free logins on the web"

    So is there one standard or many?

    • There are probably many, and this is one which is endorsed by the central authority.

      I wish they'd have included PKI as part of the FIDO standards. Those security keys would have been amazing for that. Plug in and read your e-mail, all messages end-to-end encrypted.

    • So is there one standard or many?

      Yes.

    • We put several authentication options in the HTTP spec back in the 1990s. Some pretty secure, one was specifically marked as not secure. It was intended to be used the same way you'd use the latch on a bathroom stall. Of the three standards, the only one anyone ever used was trivial one, basic authentication. After that most people started coding their own really bad authentication schemes, often based on PHP sessions.

      Then came SAML. A lot of larger companies used SAML, for handing off users after they w

      • they think that it'll be easier to come up with some homemade crap. We'll see if this effort gets people actually using a non-crap design.

        But building new stuff is interesting and I already know exactly how it "works" -- reading books and RFPs is hard, and you have to think about it, and those guys are all just too stuffy and boring in the first place.

        I'm a programming literary giant -- like e. e. cummings, Robert Frost, and Katy Perry. *I* don't produce crap -- I produce architectures, masterpieces, just wonderful walls of code that make other people cry.

    • There is one W3C approved password-free login standard.

      There are many open standards.

      Context matters.
  • by Anonymous Coward
    So instead of something you have / know / are - choose any two - it's now "Something you have." It's a great improvement over the atrociously insecure "We'll [collect your phone number for our database] and send a text to your cell phone [which might not even be your phone because SS7 is hopelessly insecure]" but killing the password entirely simply shifts the problem to how do you secure a bunch of Yubikeys?

    How do I, for example, log in using a CLI? How is this any different than, say, storing my private

    • by moronoxyd ( 1000371 ) on Monday March 04, 2019 @10:19AM (#58212838)

      So instead of something you have / know / are - choose any two - it's now "Something you have."

      WebAuthn is not a replacement for 2FA, but for password logins. So where before you only had "something you know" you can now chose between "something you have (FIDO key) / know (password) / are (biometrics)".

      • by Meneth ( 872868 ) on Monday March 04, 2019 @11:35AM (#58213262)
        Both of which are harder to replace when their server counterparts are deleted or leaked.
        • "Both of which"? I listed three things, so you should specify which two you are talking about (probably somethng you have and something you are).

          My comment didn't make any statement about the usefullness or security of WebAuthn but was only meant to point out that ACs comment was based in misrepresentation.

  • Why is the server standard not also a W3C standard? Then maybe we would have EdDSA as required instead of recommended like in the FIDO2 clusterfuck.

  • What about SQRL? (Score:5, Interesting)

    by MycoMan ( 132840 ) on Monday March 04, 2019 @12:43PM (#58213576)

    Isn't this the best answer? Mr. Gibson's carefully thought out technology - and open.
    https://www.grc.com/sqrl/sqrl.htm [grc.com]

    • I kind of like the idea but there are a few downsides:
      - They have no backing from large players, partly because of the project aversion to them.
      - No device -> no login. there is no way to login on an internet café if you lose your phone (unless you have a copy of your seed in your wallet and blindly trust the café). This is, again, partly because of the project aversion to big players playing the role of gatekeepers.
      - possibly patent encumbered. The project tries to

  • by Srin Tuar ( 147269 ) <zeroday26@yahoo.com> on Monday March 04, 2019 @01:23PM (#58213856)

    They rolled their own custom elliptic curve, amateurishly.

    They have mandatory support for weak/broken RSA modes.

    https://paragonie.com/blog/201... [paragonie.com]

CChheecckk yyoouurr dduupplleexx sswwiittcchh..

Working...