The future might replace passwords with mobile authentication. Recently the World Wide Web Consortium (W3C) announced on 17 February this year that it launched a new standards effort in view of a different web authentication method – “a more secure and flexible alternative to password-based log-ins on the Web”.
Let’s try and explore what this could mean for the future of Web authentication and the Internet users, what does W3C stand for and how are they trying to improve web access control.
What is W3C?
W3C, dubbed by TNW “the creators of the Web” is actually the World Wide Web Consortium, a organization that develops and implements the international standards related to the World Wide Web.
The number W3C of members reached 410 in 2016, a wide panel including governments, government agencies and various tech companies. Founded in October 1994 at the MIT by the English computer scientist Sir Timothy John Berners-Lee, the same person who is considered to have invented the World Wide Web, the Consortium reunited the support of DARPA and of the European Commission.
Their activities take place under the aegis “Web for all” and mention web accessibility and internationalization as main guidelines. Working groups and workshops are also permanently active within the W3C structures and they issue periodical papers that summarize the discussions, activities and reached conclusions.
The Web Authentication issue (and the mobile authentication solution)
In view of countless surveys and reports that continue to show how either websites or users fail in establishing a strong protection status in what Web log-ins are concerned, as well as of the repeated incidents of data breach, data loss, identity theft and various other cyber-crime exploits that derive from insecure accounts, the question of a better authentication method is more and more poignant.
The W3C answer seems to be oriented towards developing “new standards and best practices for increased security”. Their work is clearly accelerated by the W3C member submission of FIDO 2.0 Web APIs from members of the FIDO Alliance – Fast Identity Online Alliance.
The FIDO industry consortium launched in 2013, aiming to address “the lack of interoperability among strong authentication devices and the problems users face creating and remembering multiple usernames and passwords”. FIDO counts over 200 members and it focuses on password issues, encryption, authentication (especially two-factor authentication – 2FA or even MFA), related protocols and solutions.
Alternatives to the static password are essential in the development of a future stronger authentication. The working group established in view of Web Authentication research and solution providing will try and define “a client-side API providing strong authentication functionality to Web Applications”. The FPWDs of its normative deliverables are to be produced in Q1 2016. From there on, it may be a relatively long time until the new standard will reach (if ever) the Web browsers and the users. Mobile authentication still has to wait.
As TNW explains it, the purpose of the working group activity is to deliver viable methods of user identification based not on memorable passwords, but on device identification via a pair of authentication keys. The user would no longer have to type passwords, but will have to possess the required device that allows such an “automated” login.
What would the “no-password” standard mean?
Faster and more reliable digital activities are sure to come from such an important change. A unified, internationalized cyber-security authentication standard. A future world of mobile authentication unravels in front of the enthusiasts’ eyes.
Every user would in turn be associated with at least one device able to support the new type of authentication. The security-related worries could revert to the physical security of such devices – since they will hold the user identification “keys”. All situations cannot be however covered since the technology itself, as well as its functioning schematics are not here to analyze yet.
Considering how e-payment via smartphone gains traction, (unless unforeseeable situations occur) the mobile authentication concept is heading that way with or without API password-free authentication. Using your smartphone for paying various services, for banking and accessing your web accounts – those who are wondering what might be next might have to wait shorter than estimated if all goes well.
Is the World Wide Web presence synchronizing itself with the status of smartphone owner? How about the impoverished people or those who choose not to go fully connected – will they face the possibility of being cut-off from the connected world?
All these questions and many others may arise – and they probably all have the right answers in due time. The year 2016 already provided a possible answer to mobile authentication via the Freedom 251, the world’s cheapest smartphone. Not all technology should be tailored by high-end standards; more accessible solutions that fit every budget are in the works.
However, a standard that cannot be lowered is the cyber-security standard – in a connected digital world any weak entry point holds the risk of affecting all participants. That is a strong motivational factor in developing universal, non-variable strong security solutions that would ensure cyber-protection objectively. Regardless whether the user is more or less educated, more or less cyber-aware, the authentication method of the future aims at protecting the data, the network, the connected users and ultimately the entire system.
