Archive for the 'Phishing Resistance' Category

October 21, 2021
OpenID and FIDO Presentation at October 2021 FIDO Plenary

OpenID logoFIDO logoI described the relationship between OpenID and FIDO during the October 21, 2021 FIDO Alliance plenary meeting, including how OpenID Connect and FIDO are complementary. In particular, I explained that using WebAuthn/FIDO authenticators to sign into OpenID Providers brings phishing resistance to millions of OpenID Relying Parties without them having to do anything!

The presentation was:

October 13, 2021
Proof-of-possession (pop) AMR method added to OpenID Enhanced Authentication Profile spec

OpenID logoI’ve defined an Authentication Method Reference (AMR) value called “pop” to indicate that Proof-of-possession of a key was performed. Unlike the existing “hwk” (hardware key) and “swk” (software key) methods, it is intentionally unspecified whether the proof-of-possession key is hardware-secured or software-secured. Among other use cases, this AMR method is applicable whenever a WebAuthn or FIDO authenticator are used.

The specification is available at these locations:

Thanks to Christiaan Brand for suggesting this.

June 23, 2021
Second Version of FIDO2 Client to Authenticator Protocol (CTAP) Now a Standard

FIDO logoThe FIDO Alliance has completed the CTAP 2.1 Specification. This follows the publication of the closely-related second version of the W3C Web Authentication (WebAuthn) specification.

Today’s FIDO Alliance announcement describes the enhancements in the second version as follows:

Enhancements to FIDO standards to accelerate passwordless in the enterprise

The FIDO Alliance has announced enhancements to its FIDO2 specifications, which include several new features that will be helpful for passwordless enterprise deployments and other complex security applications. Both FIDO2 specifications were recently updated by their governing bodies – with the World Wide Web Consortium (W3C) approving WebAuthn Level 2 and FIDO doing the same for CTAP 2.1.

Key to these enhancements is enterprise attestation, which provides enterprise IT with improved management of FIDO authenticators used by employees. Enterprise attestation enables better binding of an authenticator to an account, assists with usage tracking and other management functions including credential and pin management, and biometric enrollment required in the enterprise.

Other updates include support for cross-origin iFrames and Apple attestation, as well as improvements to resident credentials. More details on these and other FIDO specification enhancements are available here.

April 14, 2021
Second Version of W3C Web Authentication (WebAuthn) Now a Standard

W3C logoThe World Wide Web Consortium (W3C) has published this Recommendation for the Web Authentication (WebAuthn) Level 2 specification, meaning that it now a completed standard. While remaining compatible with the original standard, this second version adds additional features, among them for user verification enhancements, manageability, enterprise features, and an Apple attestation format. The companion second FIDO2 Client to Authenticator Protocol (CTAP) specification is also approaching becoming a completed standard.

See the W3C announcement of this achievement. Also, see Tim Cappalli‘s summary of the changes in the second versions of WebAuthn and FIDO2.

March 31, 2021
Second Version of FIDO2 Client to Authenticator Protocol (CTAP) advanced to Public Review Draft

FIDO logoThe FIDO Alliance has published this Public Review Draft for the FIDO2 Client to Authenticator Protocol (CTAP) specification, bringing the second version of FIDO2 one step closer to becoming a completed standard. While remaining compatible with the original standard, this second version adds additional features, among them for user verification enhancements, manageability, enterprise features, and an Apple attestation format.

This parallels the similar progress of the closely related second version of the W3C Web Authentication (WebAuthn) specification, which recently achieved Proposed Recommendation (PR) status.

February 28, 2021
Second Version of W3C Web Authentication (WebAuthn) advances to Proposed Recommendation (PR)

W3C logoThe World Wide Web Consortium (W3C) has published this Proposed Recommendation (PR) for the Web Authentication (WebAuthn) Level 2 specification, bringing the second version of WebAuthn one step closer to becoming a completed standard. While remaining compatible with the original standard, this second version adds additional features, among them for user verification enhancements, manageability, enterprise features, and an Apple attestation format.

December 31, 2020
Near-Final Second W3C WebAuthn and FIDO2 CTAP Specifications

W3C logoFIDO logoThe W3C WebAuthn and FIDO2 working groups have been busy this year preparing to finish second versions of the W3C Web Authentication (WebAuthn) and FIDO2 Client to Authenticator Protocol (CTAP) specifications. While remaining compatible with the original standards, these second versions add additional features, among them for user verification enhancements, manageability, enterprise features, and an Apple attestation format. Near-final review drafts of both have been published:

Expect these to become approved standards in early 2021. Happy New Year!

May 22, 2019
W3C WebAuthn and FIDO 2.0 win 2019 European Identity and Cloud Award

EIC logoThe W3C WebAuthn and FIDO 2.0 standards have won the 2019 European Identity and Cloud Award for Best Future Technology / Standard Project at the European Identity and Cloud (EIC) conference. This award recognizes the significance of these recently-approved standards, which enable password-less sign-in with platform authenticators, mobile devices, and security keys. They provide a huge step forward for online security, privacy, and convenience.

Thanks to Kuppinger Cole for recognizing the importance and impact of these important new standards!

EIC 2019 Award EIC 2019 Award Certificate

March 9, 2019
FIDO2 Client to Authenticator Protocol (CTAP) standard published

FIDO logoI’m thrilled to report that the FIDO2 Client to Authenticator Protocol (CTAP) is now a published FIDO Alliance standard! Together with the now-standard Web Authentication (WebAuthn) specification, this completes standardization of the APIs and protocols needed to enable password-less logins on the Web, on PCs, and on and mobile devices. This is a huge step forward for online security, privacy, and convenience!

The FIDO2 CTAP standard is available in HTML and PDF versions at these locations:

March 4, 2019
The W3C Web Authentication (WebAuthn) specification is now a standard!

W3C logoI’m thrilled to report that the Web Authentication (WebAuthn) specification is now a W3C standard! See the W3C press release describing this major advance in Web security and convenience, which enables logging in without passwords. Alex Simons, Microsoft Vice President of Identity Program Management is quoted in the release, saying:

“Our work with W3C and FIDO Alliance, and contributions to FIDO2 standards have been a critical piece of Microsoft’s commitment to a world without passwords, which started in 2015. Today, Windows 10 with Microsoft Edge fully supports the WebAuthn standard and millions of users can log in to their Microsoft account without using a password.”

The release also describes commitments to the standard by Google, Mozilla, and Apple, among others. Thanks to all who worked on the standard and who built implementations as we developed the standard – ensuring that that the standard can be used for a broad set of use cases, including password-less sign-in with platform authenticators, mobile devices, and security keys.

January 17, 2019
W3C Web Authentication (WebAuthn) advances to Proposed Recommendation (PR)

W3C logoThe World Wide Web Consortium (W3C) has published a Proposed Recommendation (PR) for the Web Authentication (WebAuthn) specification, bringing WebAuthn one step closer to becoming a completed standard. The Proposed Recommendation is at https://www.w3.org/TR/2019/PR-webauthn-20190117/.

The PR contains only clarifications and editorial improvements to the second Candidate Recommendation (CR), with no substantial changes. The next step will be to publish a Recommendation – a W3C standard – based on the Proposed Recommendation.

August 7, 2018
Second W3C Web Authentication (WebAuthn) Candidate Recommendation (CR)

W3C logoW3C has published a second W3C Candidate Recommendation (CR) for the Web Authentication (WebAuthn) specification. The second Candidate Recommendation is at https://www.w3.org/TR/2018/CR-webauthn-20180807/.

This draft contains a few refinements since the first candidate recommendation but no substantial changes. The new CR was needed to fulfill the W3C’s IPR protection requirements. The few changes were based, in part, upon things learned during multiple interop events for WebAuthn implementations. The working group plans to base coming the Proposed Recommendation on this draft.

July 20, 2018
IETF Token Binding specifications sent to the RFC Editor

IETF logoThe three core IETF Token Binding Specifications have been sent to the RFC Editor, which means that their normative content will no longer change. It’s time to move implementations to version 1.0! The abstract of the Token Binding over HTTP specification describes Token Binding as:

This document describes a collection of mechanisms that allow HTTP servers to cryptographically bind security tokens (such as cookies and OAuth tokens) to TLS connections.

We describe both first-party and federated scenarios. In a first-party scenario, an HTTP server is able to cryptographically bind the security tokens it issues to a client, and which the client subsequently returns to the server, to the TLS connection between the client and server. Such bound security tokens are protected from misuse since the server can generally detect if they are replayed inappropriately, e.g., over other TLS connections.

Federated token bindings, on the other hand, allow servers to cryptographically bind security tokens to a TLS connection that the client has with a different server than the one issuing the token.

This document is a companion document to The Token Binding Protocol.

This is a huge step towards cryptographically protecting data structures that had previously been bearer tokens, such as browser cookies, refresh tokens, access tokens, ID Tokens, etc., so that they can only be used by the intended party. Congratulations especially to the editors Andrei Popov, Dirk Balfanz, and Jeff Hodges, as well as the chairs John Bradley and Leif Johansson for getting us to this important milestone!

The three specifications are:

May 22, 2018
Deprecating the Password: A Progress Report

EIC logoI gave the well-received presentation “Deprecating the Password: A Progress Report” at the May 2018 European Identity and Cloud Conference (EIC). The presentation is available as PowerPoint (large because of the embedded video) and PDF.

The presentation abstract is:

If you ask almost anyone you meet if they have too many passwords, if they have trouble remembering their passwords, or if they are reusing the same passwords in multiple places, you’re likely to get an ear-full. People intuitively know that there has to be something better than having to have a password for everything they do!

The good news is that passwords are being used for fewer and fewer identity interactions. They are being replaced by biometrics (sign into your phone, your PC, or your bank with your face or fingerprint), local PINs (prove it’s you to your device and it does the rest), and federation (sign in with Facebook, Google, Microsoft, etc.). This presentation will examine the progress we’ve made, the standards and devices making it possible, and stimulate a discussion on what’s left to do to deprecate the password.

Key takeaways are:

    There are good alternatives to passwords in use today.
    Passwords are being used for fewer and fewer identity interactions.
    Devices are increasingly enabling authentication without passwords.
    New standards are enabling cross-platform password-less authentication.
    The days of having to use passwords for everything you do are numbered!

Thanks to Steve Hutchinson for this photo from the presentation and his vote of confidence.
Mike presenting at EIC 2018

Extra: See all the Microsoft presentations at EIC 2018, including videos of Joy Chik’s and Kim Cameron’s keynotes.

May 7, 2018
On our journey to deprecate the password: Public Implementation Draft of FIDO2 Client to Authenticator Protocol (CTAP) specification

FIDO logoI’m pleased to report that a public Implementation Draft of the FIDO2 Client to Authenticator Protocol (CTAP) specification has been published. This specification enables FIDO2 clients, such as browsers implementing the W3C Web Authentication (WebAuthn) specification, to perform authentication using pairwise public/private key pairs securely held by authenticators speaking the CTAP protocol (rather than passwords). Use of three transports for communicating with authenticators is specified in the CTAP specification: USB Human Interface Device (USB HID), Near Field Communication (NFC), and Bluetooth Smart/Bluetooth Low Energy Technology (BLE).

This specification was developed in parallel with WebAuthn, including having a number of common authors. This CTAP version is aligned with the WebAuthn Candidate Recommendation (CR) version.

The CTAP Implementation Draft is available at:

Congratulations to the members of the FIDO2 working group for reaching this important milestone. This is a major step in our journey to deprecate the password!

March 20, 2018
W3C Web Authentication (WebAuthn) specification has achieved Candidate Recommendation (CR) status

W3C logoThe W3C Web Authentication (WebAuthn) specification is now a W3C Candidate Recommendation (CR). See the specification at https://www.w3.org/TR/2018/CR-webauthn-20180320/ and my blog post announcing this result for the WebAuthn working group at https://www.w3.org/blog/webauthn/2018/03/20/candidate-recommendation/.

This milestone represents a huge step towards enabling logins to occur using privacy-preserving public/private key pairs securely held by authenticators, rather than passwords. Its contents have been informed by what we learned during several rounds of interop testing by multiple browser and authenticator vendors. The Web Authentication spec has also progressed in parallel with and been kept in sync with the FIDO2 Client To Authenticator Protocol (CTAP) specification, so that they work well together.

March 6, 2018
W3C Web Authentication (WebAuthn) specification almost a Candidate Recommendation (CR)

W3C logoThe eighth working draft of the W3C Web Authentication (WebAuthn) specification has been published. The WebAuthn working group plans to submit this draft for approval by the W3C Director (Tim Berners-Lee) to become a W3C Candidate Recommendation (CR), after a few days’ review by the working group.

This milestone represents a huge step towards enabling logins to occur using public/private key pairs securely held by authenticators, rather than passwords. Its contents have been informed by what we learned during several rounds of interop testing by multiple browser and authenticator vendors. The Web Authentication spec has also progressed in parallel with and been kept in sync with the FIDO 2 Client To Authenticator Protocol (CTAP) specification, so that they work well together.

December 5, 2017
Seventh working draft of W3C Web Authentication (WebAuthn) specification

W3C logoThe W3C Web Authentication working group has published the seventh working draft of the W3C Web Authentication (WebAuthn) specification. See the release page for a description of the changes since WD-06. The working group plans for the next version published to be a W3C Candidate Recommendation (CR). No breaking changes are expected between WD-07 and CR.

August 11, 2017
Sixth working draft of W3C Web Authentication specification

W3C logoThe W3C Web Authentication working group has published the sixth working draft of the W3C Web Authentication specification. It now can request that the authenticator support user verification – meaning that it can be used as the sole or first authentication factor. It now also uses the standard CBOR COSE_Key key representation [RFC8152]. Like WD-05, implementation and interop testing for WD-06 is planned.

May 11, 2017
Strong Authentication and Token Binding Presentations at EIC 2017

EIC logoI gave two presentations at the 2017 European Identity and Cloud Conference (EIC) on progress we’re making in creating and deploying important new identity and security standards. The presentations were:

  • Strong Authentication using Asymmetric Keys on Devices Controlled by You: This presentation is about the new authentication experiences enabled by the W3C Web Authentication (WebAuthn) and FIDO 2.0 Client To Authenticator Protocol (CTAP) specifications. It describes the progress being made on the standards and shows some example user experiences logging in using authenticators. Check it out in PowerPoint or PDF.
  • Token Binding Standards and Applications: Securing what were previously bearer tokens: This presentation is about how data structures such as browser cookies, ID Tokens, and access tokens can be cryptographically bound to the TLS channels on which they are transported, making them no longer bearer tokens. It describes the state of the Token Binding standards (IETF, OAuth, and OpenID) and provides data on implementations and deployments to date. This presentation was a collaboration with Brian Campbell of Ping Identity. Check it out in PowerPoint or PDF.

Mike presenting at EIC 2017
(Photo from https://twitter.com/drummondreed/status/862314926433603584)

Next »