W3C Submission Hints At Strong Future For U2F

November 19, 2015 3 minute read
YubiKey gift cards hanging in store

As with any growing standards organization, the FIDO Alliance is evolving. Today, the organization marks a glimpse of where it’s headed and how U2F will help make secure login easy and available for all internet users.

The FIDO Alliance has submitted to the World Wide Web Consortium (W3C) a set of specifications defining a Web API to enable high-security web applications that offer secure user authentication. This FIDO-built Web API can be seen as a natural evolution and a superset of the FIDO U2F Web API. It is intended to ensure standards-based strong authentication across all web browsers and related web platform infrastructure.

This is great news for Yubico’s customers as these Web API specifications will end up in all browsers. Our goal is to make the YubiKey ubiquitous, leveraged by universal support in leading platforms and browsers.

A year after the U2F specs were finalized, Google, Dropbox, and GitHub are on our list of large scale services supporting U2F, and many more are on their way. In the same timeframe, the U2F Technology Working Group has developed technical specifications for NFC and Bluetooth transports to address mobile applications. (For a look at the current U2F ecosystem, see our blog post.)

The FIDO 2.0 Technology Working Group was formed in late 2014 to address a wider range of authentication use cases, including the passwordless experience, and platform support for computers, phones, and other devices. This Web API submission to the W3C, from the FIDO 2.0 Technology Working Group, consists of three technical specifications required to define a standard web-based API, and is designed to increase FIDO’s existing desktop, Chrome, Android, and iOS support. The contributed FIDO specifications will be handled by a new group W3C is creating called the Web Authentication Working Group.

The W3C is the steward of the web with its principles of an open, secure, and democratized platform. It develops protocols and guidelines that ensure the long-term growth of the web.

Yubico agrees with the W3C’s principles as they are core to our own philosophy. We are working closely with the FIDO 2.0 Technology Working Group, including Google and Microsoft, with the goal to keep protocols lean and scalable, and offer a seamless evolution and migration path between FIDO U2F and FIDO 2.0.

The FIDO Alliance strategy is that every computing device will have built-in support for FIDO standards, just as we see today with standards like Bluetooth or Wi-Fi. To enable a higher level of security and privacy, users will need simple and portable external FIDO devices, including YubiKeys. These will also be needed as bridges when migrating to a new phone or computer, when any of these devices are broken or lost, with billions of existing computing devices, or to log in from a borrowed device.

For the time being, the bulk of FIDO 2.0 work is still under development at the Alliance, and it will take some time before this superset of U2F is completed. In parallel, we are working with many service providers who are adding support for FIDO U2F today to provide proven, simple and strong authentication now and into the future.

Step-by-step, we are getting closer to our vision of enabling one YubiKey to any number of online services. And, one day, you will walk into your local convenience store, and you will find a YubiKey there, perhaps hanging among the gift cards: the key that allows you to fully own and control your secure online identity.

Share this article:

Recommended content

The Key to Trust

As the principal inventor behind both the Security Key and U2F protocol, we are true supporters of open standards. To realize our mission of making secure login ubiquitous, we designed the original Security Key, and provided the majority of the open source code and test tools for FIDO U2F and the latest version of the ...

WebUSB in Google Chrome and Responsible Disclosure

Authored by Venkat Venkataraju & Jesper Johansson Yubico Blog Update and Statement – 6/18/18 On June 13, 2018 we published this blog post and security advisory regarding WebUSB issues in Chrome. In hindsight we realize that we did not give enough credit in our blog post and security advisory to the foundational work done by Markus ...

What is FIDO2?

Last month, open authentication standards reached an important milestone; Microsoft launched support for FIDO2 and CTAP, and the World Wide Web Consortium (W3C) won approval for WebAuthn. Since then, Yubico has received questions on how these efforts are related, what role FIDO U2F and Yubico have in the mix, and what organizations can implement now ...

Yubico Launches Passwordless Login with new Security Key and FIDO2

Today, together with the FIDO Alliance, we made a big announcement that paves the way to a passwordless future. We revealed the new Security Key by Yubico as well as our new Developer Program, both of which support the new FIDO2 open standard for passwordless authentication. Why is this important? Think of a time when ...