The World Wide Web Consortium (W3C), an organization promoting Web technology standardization, has formally recommended Web Authentication (WebAuthn.Web Authentication), a new web authentication API without a password. It was co-developed with the Fast IDentity Online Alliance (FIDO Alliance), a nonprofit that aims to standardize new online certification technologies.
It is common to use an ID and password to login to an existing web service. However, in this process, security risks are caused by password leakage or reuse. Therefore, web authentication is a new authentication method that does not use passwords at all.
Web authentication is similar to using a two-pronged security key, but it uses biometrics such as fingerprint authentication embedded in the device and a security key instead of a password when logging in. Also, biometric authentication does not mean storing fingerprint information directly in a web service.
For example, when a fingerprint is registered in a service, a secret key and a public key generated by the public key cryptosystem corresponding to the fingerprint are generated, and only the public key is transmitted to the service side. The private key can only be removed if it is stored on the device and authenticated with the corresponding fingerprint. Therefore, even if a public key is leaked from the server, it will not be possible to log in if there is no device used for registration.
Devices used at this time must also be FIDO2 certified. For Android, FIDO2 is the latest operating system and can be used for web authentication.
It is already equipped with Windows 10, Android, Chrome OS, Chrome OS, Firefox, Safari and other web browsers. However, there is still a limited number of effective services, so it is necessary to expand the service in the future.
81% of data leakage accidents are caused by the use of easy-to-guess passwords or theft of passwords. Considering the number of years that a user enters a password or sets a password is significant. W3C advises that web services and companies need to support better web authentication than password-based security authentication and to improve user security and operability.
Of course, there is no question whether the W3C recommends web standards recommendations. It depends on the company and the service. However, as companies such as Airbnb, Alibaba, Apple, Google, IBM, Intel, Microsoft, Mozilla, PayPal, and SoftBank, which support W3C, have a high share of the global market, It is likely to change the system to support authentication. For more information, please click here .