Welcome to WebmasterWorld Guest from 54.198.170.159

Forum Moderators: phranque

Featured Home Page Discussion

New API Login Standards: WebAuthn and CTAP Published

Is this the beginning of the end for user passwords?

     
5:39 pm on Apr 25, 2018 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:25423
votes: 723


A W3C and FIDO published authentication standards which doesn't rely on storing passwords on servers. The W3C's WebAuthn API and FIDO Alliance's Client-to-Authenticator Protocol (CTAP) is endorsed by Google, Microsoft and Mozilla. Is this the beginning of the end for user passwords?

W3C said WebAuthn is, "an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users." It stores the users credential on the users own device and WebAuthn transmits to the web app that the user is authenticated without sending the users credential to the server.
The standardisation effort is also an important part of FIDO's goal of getting rid of passwords, since Web applications get a standard way to interact with biometric authentication in the same way as they would interact with a security key – and without passing the credentials upwards to the Web application.

As the FIDO announcement stated: “User credentials and biometric templates never leave the user’s device and are never stored on servers”. New API Login Standards: WebAuthn and CTAP Published [theregister.co.uk]
6:30 pm on Apr 25, 2018 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Mar 25, 2018
posts:500
votes: 100


But what happen if you want to logon from a different device? Or you install your private key on each device you want to use. But in that case, if your device is stolen, or used by someone else, they can logon too ?
9:17 am on Apr 26, 2018 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:Aug 11, 2008
posts:1687
votes: 253


My understanding is:
New Device - Authenticate to the (for lack of a better term) CA using username and biometrics for a "password". It give the device your private key.
Lost Device - Private key is locked behind a on-device biometric lock. You authenticate locally to the device via biometric data, which then authenticates to the remote resource by means of private key.
10:23 am on Apr 26, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12068
votes: 766


My 2 banks, 2 credit cards, paypal and a streaming app all offer biometric (fingerprint] login on my phone. Each one still offers password login as well.

Anyone have a device that does retina scan?
10:44 am on Apr 26, 2018 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Mar 25, 2018
posts:500
votes: 100


Isn't it Samsung who created a facial recognition system announced as the future of identification, whereas it happened that, putting a photo in front of the camera was enough to fool the system :)
3:31 am on Apr 30, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12068
votes: 766


Never heard that story.

I think Facebook has tried to employ facial recog without success.