The W3C has announced a new web authentication standard that provides an API for accessing public key credentials. The standard, which is being referred to as WebAuthn, would allow users to log into websites without having to use passwords. Instead, the standard relies on Authenticators, which "are responsible for ensuring that no operation is performed without user consent."
For example, when attempting to log into a website supporting WebAuthn on a desktop device, users who had previously registered would be prompted on their phone to select an identity and provide an authorization gesture, such as a PIN or biometric verification.
According to Brett McDowell, the executive director of the FIDO Alliance, one of the organizations that has been involved in creating the WebAuthn standard, "After years of increasingly severe data breaches and password credential theft, now is the time for service providers to end their dependency on vulnerable passwords and one-time-passcodes and adopt phishing-resistant FIDO Authentication for all websites and applications."
The WebAuthn standard is currently a Candidate Recommendation, which means that it "has been widely reviewed and satisfies the Working Group's technical requirements." Once it has been reviewed for technical soundness and implementability, it could become a Proposed Recommendation.