FIDO, W3C standardize biometric authentication in the browser

The Faster Identity Online Alliance has worked on stronger device authentication methods for the past five years, garnering the attention of nearly every payments technology provider in hopes that static passwords would become a thing of the past.

In seeking to solidify that potential, FIDO Alliance and the World Wide Web Consortium have created Web Authentication (WebAuthn), a new standard that allows approved FIDO Authentication methods to operate through browsers.

Through WebAuthn, browsers will accept the biometric authentication from a user's device when the user enters websites for shopping or to make payments.

FIDO Alliance has pushed biometrics as a key replacement for static passwords and has had the support of major card brands and payments providers during its technology development process.

FIDO Authentication does not replace primary account numbers or payment credential tokenization, but it does represent "an ideal replacement for passwords or one-time passcodes in traditional account authentication contexts," said Brett McDowell, executive director of FIDO Alliance.

With WebAuthn in place, companies that rely on consumers using devices carrying FIDO Authentication can accept those authentication measures on any service offered online. It would come into play for providers like Google, PayPal, Bank of America, Facebook and others.

Google, Microsoft, Mozilla and Opera browsers have committed to supporting WebAuthn in their flagship browsers. The FIDO authentication methods are now available in Firefox, and FIDO expects it to roll out natively in Chrome and Edge over the next few months.

"FIDO is the public key cryptographic protocol behind the scenes when leading payment wallet apps offer their users the option to pay by means of biometric capability on their personal device," McDowell said of WebAuthn.

"The user experience is no different, but with FIDO the security is much better," McDowell added.

FIDO and WebAuthn will help payment service providers in Europe comply with the stronger customer authentication rules of the new Payment Services Directive (PSD2) and also with the biometric data protection provisions of the new General Data Protection Regulation taking hold May 25.

It is not a technology directly related to the Payment Card Industry Security Standards Council's mandate for business owners to migrate by June from the current Secure Socket Layer protocol on their websites to a later version of Transport Layer Security, but McDowell said FIDO operates on top of TLS and requires it to operate.

"In fact, the TLS Token Binding capabilities help FIDO solutions prevent man-in-the-middle attacks," McDowell added.

W3C is encouraging all online services and web app developers to implement WebAuthn, saying it is the result of thousands of hours of development by influential technology and online service organizations.

“Security on the Web has long been a problem which has interfered with the many positive contributions the Web makes to society," W3C CEO Jeff Jaffe said in a Tuesday press release. "While there are many Web security problems and we can't fix them all, relying on passwords is one of the weakest links."

WebAuthn's multifactor solutions eliminate that weak link and "will change the way that people access the web," Jaffe added.