White paper: Bridge to Passwordless best practices
As with any growing standards organization, the FIDO Alliance is evolving. Today, the organization marks a glimpse of where it’s headed and how U2F will help make secure login easy and available for all internet users.
The FIDO Alliance has submitted to the World Wide Web Consortium (W3C) a set of specifications defining a Web API to enable high-security web applications that offer secure user authentication. This FIDO-built Web API can be seen as a natural evolution and a superset of the FIDO U2F Web API. It is intended to ensure standards-based strong authentication across all web browsers and related web platform infrastructure.
This is great news for Yubico’s customers as these Web API specifications will end up in all browsers. Our goal is to make the YubiKey ubiquitous, leveraged by universal support in leading platforms and browsers.
A year after the U2F specs were finalized, Google, Dropbox, and GitHub are on our list of large scale services supporting U2F, and many more are on their way. In the same timeframe, the U2F Technology Working Group has developed technical specifications for NFC and Bluetooth transports to address mobile applications. (For a look at the current U2F ecosystem, see our blog post.)
The FIDO 2.0 Technology Working Group was formed in late 2014 to address a wider range of authentication use cases, including the passwordless experience, and platform support for computers, phones, and other devices. This Web API submission to the W3C, from the FIDO 2.0 Technology Working Group, consists of three technical specifications required to define a standard web-based API, and is designed to increase FIDO’s existing desktop, Chrome, Android, and iOS support. The contributed FIDO specifications will be handled by a new group W3C is creating called the Web Authentication Working Group.
The W3C is the steward of the web with its principles of an open, secure, and democratized platform. It develops protocols and guidelines that ensure the long-term growth of the web.
Yubico agrees with the W3C’s principles as they are core to our own philosophy. We are working closely with the FIDO 2.0 Technology Working Group, including Google and Microsoft, with the goal to keep protocols lean and scalable, and offer a seamless evolution and migration path between FIDO U2F and FIDO 2.0.
The FIDO Alliance strategy is that every computing device will have built-in support for FIDO standards, just as we see today with standards like Bluetooth or Wi-Fi. To enable a higher level of security and privacy, users will need simple and portable external FIDO devices, including YubiKeys. These will also be needed as bridges when migrating to a new phone or computer, when any of these devices are broken or lost, with billions of existing computing devices, or to log in from a borrowed device.
For the time being, the bulk of FIDO 2.0 work is still under development at the Alliance, and it will take some time before this superset of U2F is completed. In parallel, we are working with many service providers who are adding support for FIDO U2F today to provide proven, simple and strong authentication now and into the future.
Step-by-step, we are getting closer to our vision of enabling one YubiKey to any number of online services. And, one day, you will walk into your local convenience store, and you will find a YubiKey there, perhaps hanging among the gift cards: the key that allows you to fully own and control your secure online identity.