1. Home
  2. Forums Index
  3. WebmasterWorld / Webmaster General 3:03 am May 21, 2026

Forum Moderators: phranque

Message Too Old, No Replies

New API Login Standards: WebAuthn and CTAP Published

Is this the beginning of the end for user passwords?

         

engine

5:39 pm on Apr 25, 2018 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



A W3C and FIDO published authentication standards which doesn't rely on storing passwords on servers. The W3C's WebAuthn API and FIDO Alliance's Client-to-Authenticator Protocol (CTAP) is endorsed by Google, Microsoft and Mozilla. Is this the beginning of the end for user passwords?

W3C said WebAuthn is, "an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users." It stores the users credential on the users own device and WebAuthn transmits to the web app that the user is authenticated without sending the users credential to the server.
The standardisation effort is also an important part of FIDO's goal of getting rid of passwords, since Web applications get a standard way to interact with biometric authentication in the same way as they would interact with a security key – and without passing the credentials upwards to the Web application.

As the FIDO announcement stated: “User credentials and biometric templates never leave the user’s device and are never stored on servers”. New API Login Standards: WebAuthn and CTAP Published [theregister.co.uk]

Travis

6:30 pm on Apr 25, 2018 (gmt 0)

5+ Year Member Top Contributors Of The Month



But what happen if you want to logon from a different device? Or you install your private key on each device you want to use. But in that case, if your device is stolen, or used by someone else, they can logon too ?

Shaddows

9:17 am on Apr 26, 2018 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



My understanding is:
New Device - Authenticate to the (for lack of a better term) CA using username and biometrics for a "password". It give the device your private key.
Lost Device - Private key is locked behind a on-device biometric lock. You authenticate locally to the device via biometric data, which then authenticates to the remote resource by means of private key.

keyplyr

10:23 am on Apr 26, 2018 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



My 2 banks, 2 credit cards, paypal and a streaming app all offer biometric (fingerprint] login on my phone. Each one still offers password login as well.

Anyone have a device that does retina scan?

Travis

10:44 am on Apr 26, 2018 (gmt 0)

5+ Year Member Top Contributors Of The Month



Isn't it Samsung who created a facial recognition system announced as the future of identification, whereas it happened that, putting a photo in front of the camera was enough to fool the system :)

keyplyr

3:31 am on Apr 30, 2018 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Never heard that story.

I think Facebook has tried to employ facial recog without success.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. WebmasterWorld / Webmaster General 3:03 am May 21, 2026