The FIDO Alliance and the World Wide Web Consortium (W3C) say they have achieved a standards milestone in the global effort to bring simpler yet stronger web authentication to users around the world. The W3C has advanced Web Authentication (WebAuthn), a collaborative effort based on Web API specifications submitted by FIDO to the W3C, to the Candidate Recommendation (CR) stage. The CR is the product of the Web Authentication Working Group, which is composed of representatives from more than 30 member organisations. CR is a precursor to final approval of a web standard, and the W3C has invited online services and web app developers to implement WebAuthn.WebAuthn defines a standard web API that can be incorporated into browsers and related web platform infrastructure which gives users new methods to securely authenticate on the web, in the browser and across sites and devices. WebAuthn has been developed in coordination with FIDO Alliance and is a core component of the FIDO2 Project along with FIDO's Client to Authenticator Protocol (CTAP) specification. CTAP enables an external authenticator, such as a security key or a mobile phone, to communicate strong authentication credentials locally over USB, Bluetooth or NFC to the user's internet access device (PC or mobile phone). The FIDO2 specifications collectively enable users to authenticate to online services with desktop or mobile devices with phishing-resistant security.”With the new FIDO2 specifications and leading web browser support announced today, we are taking a big step forward towards making FIDO Authentication ubiquitous across all platforms and devices,” said Brett McDowell, executive director of the FIDO Alliance. “After years of increasingly severe data breaches and password credential theft, now is the time for service providers to end their dependency on vulnerable passwords and one-time-passcodes and adopt phishing-resistant FIDO Authentication for all websites and applications.”Google, Microsoft, and Mozilla have committed to supporting the WebAuthn standard in their browsers and have started implementation for Windows, Mac, Linux, Chrome OS and Android platforms.”Security on the web has long been a problem which has interfered with the many positive contributions the web makes to society,” says W3C CEO Jeff Jaffe. “While there are many web security problems and we can't fix them all, relying on passwords is one of the weakest links. With WebAuthn's multi-factor solutions we are eliminating this weak link. WebAuthn will change the way that people access the web.”According to the two organisations, the completion of the FIDO2 standardisation efforts, promotion of WebAuthn along the W3C standards track, and the commitment of leading browser vendors to implementation opens a new era of ubiquitous, hardware-backed FIDO Authentication protection for everyone using the internet.The Fido Alliance says that enterprises and online service providers looking to protect themselves and their customers from the risks associated with passwords – including phishing, man-in-the-middle attacks and the abuse of stolen credentials – can soon deploy standards-based strong authentication that works through the browser or via an external authenticator. Deploying FIDO Authentication enables online services to provide choice to users from an interoperable ecosystem of devices people use every day, such as mobile phones and security keys.It adds: “The standardisation of the new FIDO2 specifications in browsers and operating systems will further expand the reach of FIDO Authentication, which is already available on hundreds of millions of devices and offered to more than 3.5 billion user accounts worldwide through services from companies such as Google, Facebook, NTT DOCOMO, Bank of America and many more. The new specifications complement existing passwordless FIDO UAF and second-factor FIDO U2F use cases, and expand the availability of FIDO Authentication. FIDO2 web browsers and online services are fully backwards compatible with all previously certified FIDO Security Keys.”FIDO will soon launch interoperability testing and will issue certifications for servers, clients and authenticators adhering to FIDO2 specifications. Additionally, FIDO will introduce a new Universal Server certification for servers that interoperate with all FIDO authenticator types (FIDO UAF, FIDO U2F, WebAuthn, CTAP).