Web Authentication
Generated by GPT-5-miniExpansion Funnel Raw 94 → Dedup 0 → NER 0 → Enqueued 0
| Web Authentication | |
|---|---|
| Name | Web Authentication |
| Othernames | FIDO2, PXN |
| Developer | World Wide Web Consortium; FIDO Alliance |
| Initial release | 2018 |
| Latest version | FIDO2 / W3C WebAuthn |
| Type | Authentication standard |
Web Authentication
Web Authentication is a standards-based authentication framework designed to replace password-centric access with public-key cryptography, hardware authenticators, and platform APIs. It emerged from collaboration among the World Wide Web Consortium, the FIDO Alliance, browser vendors such as Google, Mozilla, Microsoft, and platform vendors like Apple, and has been adopted by services including Google Account, Microsoft Account, GitHub, and Dropbox. The specification interoperates with web platform standards from the WHATWG, the W3C, and leverages cryptographic work from institutions such as NIST and research groups from Stanford University and MIT.
Overview
Web Authentication’s design goal is to provide phishing-resistant, scalable, and user-friendly strong authentication for the web, replacing legacy mechanisms used by PayPal, Facebook, Amazon (company), and eBay. It defines an API that allows relying parties such as banks like HSBC and JPMorgan Chase and online services like Salesforce and Slack to register and authenticate public-key credentials created by authenticators built by vendors including Yubico, Feitian Technologies, Samsung Electronics, and Google LLC. The specification interacts with standards such as TLS and identity frameworks used by OpenID Foundation and integrates with identity providers like Okta and Auth0.
Standards and Protocols
The core specification is maintained by the W3C in collaboration with the FIDO Alliance and references other technical standards from bodies like IETF (e.g., RFC 5246 for TLS history) and cryptographic recommendations from NIST Special Publication 800-63B. It complements protocols such as OAuth 2.0 and OpenID Connect used by entities including Google Identity, Microsoft Azure Active Directory, and Amazon Cognito. Interoperability testing and certification programs are managed by the FIDO Alliance and involve testing labs and vendors such as Intertek and UL.
Components and Flows
Key components include the relying party (services like GitHub and Bank of America), the client or user agent (browsers such as Chrome, Firefox, Edge, Safari), and authenticators provided by manufacturers such as Yubico and platform vendors like Apple Inc. and Google. The standard defines ceremonies for registration and authentication, including attestation statements and assertion signatures, which rely on public-key algorithms specified by organizations such as IETF and cryptographic primitives influenced by research from RSA Laboratories and Dan Bernstein’s Curve25519 work. Transport uses browser APIs aligning with web platform standards developed at the WHATWG.
Security Considerations
Security properties draw on cryptographic guidance from NIST, threat models examined in reports from ENISA, and incident analyses from companies like Microsoft Security Response Center and Google Project Zero. The protocol mitigates phishing, replay, and credential stuffing attacks that have impacted services such as Yahoo and Equifax by binding keys to origins enforced by browser vendors like Mozilla Foundation and Google. Attestation and key protection models reference hardware security module vendors such as Thales Group and Trusted Platform Module implementations following specifications from the Trusted Computing Group; guidance is informed by academic work from UC Berkeley and Carnegie Mellon University.
Deployment and Adoption
Major adoption milestones include deployment by Google for Titan Security Key users, enterprise adoption via Microsoft Azure AD and Okta, and certification programs run by the FIDO Alliance with participation from vendors like Yubico, Feitian, SoloKeys, and cloud providers such as Amazon Web Services. Regulatory considerations cite guidance from European Commission initiatives and standards referenced by UK National Cyber Security Centre advisories. Large-scale consumer rollouts have been undertaken by Google Account security and corporate device management solutions from VMware Workspace ONE and MobileIron.
Implementations and Libraries
Client libraries and SDKs are provided by browser vendors Google (Chromium implementations), Mozilla (Firefox), Microsoft (Edge/Chromium), and Apple (Safari/WebKit). Server-side libraries exist from ecosystem contributors: Auth0, Okta, Duo Security (now part of Cisco), ForgeRock, Keycloak (Red Hat), and language-specific libraries maintained by communities associated with Node.js, Python Software Foundation, Ruby on Rails, PHP-FIG, and Java Community Process-affiliated projects. Hardware implementations are produced by Yubico, Feitian Technologies, SoloKeys, Google Titan, and platform authenticators integrated into Android and iOS by Google and Apple.
Privacy and Usability
Privacy assessments reference frameworks from the Electronic Frontier Foundation and guidance from data protection authorities such as the European Data Protection Board and ICO (United Kingdom), discussing user discoverability, attestation privacy, and key unlinkability used by services like Twitter and LinkedIn. Usability research draws on work from Nielsen Norman Group and academic studies at MIT Media Lab and Stanford HCI Group, influencing design decisions in browser UI produced by Google Chrome UX and Mozilla UX. Accessibility and recovery strategies are implemented by identity providers including Okta, Auth0, and enterprise vendors such as Microsoft to balance security with account recovery for users managed by organizations like Harvard University and Stanford University.