The World Wide Web Consortium (W3C), the entity that maintains the standards used across the internet, said on Monday, April 9, that Google, Microsoft, and Mozilla signed on to support web-based technology for biometric authentication. In other words, Chrome, Edge, and Firefox will soon support signing into online accounts using fingerprint scanners, voice authentication, facial recognition, and so on without additional software.
The support for biometric logins stems from the Web Authentication (WebAuthn) standard submitted by the Fast Identity Online (FIDO) Alliance, another consortium focused on security solutions. It defines how browsers can utilize a component built into web pages that can access biometric-based hardware without any additional software or browser plugins installed on the user’s machine.
Moreover, WebAuthn supports FIDO’s Client to Authenticator Protocol (CTAP). This specification enables an external device, such as a security key or smartphone, to authenticate an account or service through USB, Bluetooth, or NFC connectivity. Thus, if your desktop or laptop doesn’t include a fingerprint scanner or infrared camera, an external device could work as a substitute.
“After years of increasingly severe data breaches and password credential theft, now is the time for service providers to end their dependency on vulnerable passwords and one-time passcodes and adopt phishing-resistant FIDO Authentication for all websites and applications,” Brett McDowell, executive director of the FIDO Alliance, said in a statement.
Google, Microsoft, and Mozilla (and possibly Opera) are currently adding support for WebAuthn and CTAP in their browsers for Windows, MacOS, Linux, Chrome OS, and Android. Meanwhile, both specifications are now available for developers and service designers to support web-based biometric authentication. The move will help reduce or possibly prevent phishing, man-in-the-middle attacks, and credential theft.
WebAuthn and CTAP are part of the FIDO2 Project. WebAuthn is actually a collaboration between FIDO and the W3C based on the latter’s Web API specification. WebAuthn is specifically designed to use FIDO Authentication and is backed by more than 260 FIDO members including ARM, Google, Intel, Lenovo, MasterCard, Microsoft, PayPal, Qualcomm, Samsung, Visa, and many more.
The new specifications are backward-compatible with FIDO’s current authentication platforms: The password-free FIDO UAF and the second-factor FIDO U2F services. Both rely on biometric authentication, but the FIDO UAF version resides within an app or program and relies on a device that is registered with a website or service. The second version relies on a USB stick or NFC connection to serve as part two of a two-step authentication process.
“FIDO will soon launch interoperability testing and will issue certifications for servers, clients, and authenticators adhering to FIDO2 specifications,” W3C adds. “Additionally, FIDO will introduce a new Universal Server certification for servers that interoperate with all FIDO authenticator types.”
The move to use biometric authentication seeks to eliminate the need for login credentials when purchasing goods online, signing onto streaming services, and so on. Currently, many Windows 10 devices let you sign in using a finger or face via Windows Hello. Other examples include fingerprint scanners built into Apple and Samsung’s smartphones used for unlocking the devices and authorizing logins and payments.