Web Authentication | WebAuthN | Now a CR (Candidate Recommendation)

Today marks another significant milestone in replacing the universal reliance on passwords and Nok Nok Labs is proud to be one of the co-authors and designers of the WebAuthN specification with Google, Microsoft, PayPal and others.  Today’s significant achievement is the W3C Web Authentication specification reaching “Candidate Recommendation” (CR) status. This is a major milestone for transforming the way authentication works and one that we should pause to celebrate.

Web Authentication specifies a JavaScript API to be implemented by web browsers and will allow a website to trigger convenient and strong authentication using biometrics, tokens and other methods of authentication directly from the browser.  This milestone fulfills a key goal we set for ourselves when the founders of Nok Nok Labs created the FIDO Alliance in February of 2013 with a vision to change how authentication worked in the modern computing ecosystem.

Today’s milestone means that browser vendors will now start to deliver strong authentication, based on our work at the FIDO Alliance, that can be accessed through a standard JavaScript API across browsers and operating systems.  The final standard will work its way through the W3C this year with a focus on interoperability and stitching up any issues that emerge into a final W3C standard. This is the starting signal for browsers to deliver the FIDO way of doing strong authentication.  

We have provided our customers and partners early briefings and access to some of this work through our partnerships with Microsoft and Google. Our products support this emerging standard in addition to the other well established FIDO standards (UAF and U2F) allowing for the broadest coverage of use cases and security models, all delivered at web-scale and carrier-grade quality through the NNL S3 Authentication Suite.  As inventors and authors of the key ideas behind this standard we are able to provide trusted guidance to our community about how best to adapt these standards to use cases.

In future posts, we will start to detail what we designed this standard to achieve, the use cases it works best for and how we expect it to roll out over the next two years.

We’re enormously proud that our vision and ideas were accepted and shared by the broad community of browser and platform vendors who will be adopting this specification over the coming year.  As one of colleagues says “...some problems are too big for any one company, no matter how large or powerful to solve on their own - it requires an ecosystem that can agree on a common standard”.  Today’s CR is a huge step further in that direction.