A little over a month ago, W3C WebAuthn became a real internet specification. Most of you don’t know what WebAuthn is yet, but many of you will feel the impact in short order. In fact, I will go so far as to say that WebAuthn may change how we all authenticate to the resources we use every day.
We live in a world where the best parts of our individual local hardware and software collection are rarely leveraged to make cloud security decisions. This is because there has never been a vendor-agnostic and privacy-preserving way for cloud resources to interact with individual hardware configurations in any generic way. Until now!
With WebAuthn, any web entity can call a simple Javascript API and ask for a cryptographically secure credential. What happens next is pretty cool – the world’s browsers have worked with the world’s operating system makers and the world’s hardware manufacturers, so that when a website asks for a credential, the browsers work with the underlying platform to securely locate compliant local hardware and talk to it!
All of a sudden, there is a way for all the devices close to us to speak for us. Whether it is my fitness device, a built-in fingerprint reader, a soft token or a roaming security key, we now have credible alternatives for passwords, because the very proximity of my device makes it hard for an attacker to subvert, my devices need to be either built-in, plugged in, or wirelessly connected.
The ratification of WebAuthn is only a first step. While we have agreement on how we can leverage what is locally connected, deployment is still ongoing and it will take time for all the pieces to be available in a way that can be used anywhere, by anyone. One day, your individual collection of devices will form a flexible, recoverable set of ‘authenticators’ that make it very easy for you to get to your cloud resources. We won’t overwhelm you with technology, but rather use what you already keep with you every day.
The most amazing thing about WebAuthn (and companion specs also ratified at the FIDO Alliance) is how many different companies have had to form consensus before this specification could exist. It has been seven years of debate, proposals, interops, working group meetings, editorial tweaks, liaison work with other specifications, evangelism and working code to get us where we are.
Whatever happens, keep an eye out for W3C WebAuthn and FIDO2. And raise a glass to your neighborhood standards engineer, they deserve it.
Cheers, and congratulations on your ratification, W3C WebAuthn and FIDO2 CTAP2!