周二，包括微软、谷歌、火狐等顶级浏览器厂商在内的组织和企业宣布了一项新的里程碑式的标准——WebAuthn。该标准将简化Web开发人员向其网站添加额外登录方法的过程，从而更好地保护消费者的帐户和数据安全。 

通过WebAuthn，用户无需密码，使用指纹数据，硬件令牌（hardware token）或应用程序（APP）即可轻松访问服务。

https://v.qq.com/txp/iframe/player.html?vid=d1337no9s4t&width=500&height=375&auto=0

RIP passwords: new web standard designed to replace login method

A new web standard is expected to kill passwords, meaning users will no longer have to remember difficult logins for each and every website or service they use.

The Web Authentication (WebAuthn) standard is designed to replace the password with biometrics[生物统计学] and devices that users already own, such as a security key, a smartphone, a fingerprint scanner or webcam[网络摄像头].

Instead of having to remember an increasingly long string of characters, users can authenticate their login with their body or something they have in their possession, communicating directly with the website via Bluetooth, USB or NFC[1].

[1]NFC：Near Field Communication，近距离无线通信。（近距离无线通讯技术）这个技术由非接触式射频识别（RFID）演变而来，由飞利浦半导体（现恩智浦半导体公司）、诺基亚和索尼共同研制开发，其基础是RFID及互连技术。近场通信（Near Field Communication,NFC）是一种短距高频的无线电技术，在13.56MHz频率运行于10厘米距离内。其传输速度有106 Kbit/秒、212 Kbit/秒或者424 Kbit/秒三种。目前近场通信已通过成为ISO/IEC IS 18092国际标准、ECMA-340标准与ETSI TS 102 190标准。NFC采用主动和被动两种读取模式。

"WebAuthn will change the way that people access the Web," said Jeff Jaffe, chief executive of the World Wide Web Consortium (W3C), the body that controls web standards.

One example of how WebAuthn will work is that when a user visits a site they want to log into, they input a user name and then get an alert on their smartphone. Tapping on the alert on their phone then logs them into the website without the need for a password.

WebAuthn promises to protect users against phishing[2] attacks and the use of stolen credentials[3] as there will be nothing to steal, the authentication token{身份认证指令] is generated and used once by their specific device each time the user logs in.

[2]phishing: the criminal activity of sending emails or having a website that is intended to trick someone into giving away information such as their bank account number or their computer password . This information is then used to get money or goods. 网络钓鱼〔指发送电子邮件或设立网站以骗取银行账户号码、计算机密码等信息，从而以此获取钱财的犯罪行为〕

[3]credentials

1)N-PLURALSomeone's credentials are their previous achievements, training, and general background, which indicate that they are qualified to do something. (表明某人有资格做某事的) 资历

...her credentials as a Bach specialist. 
...她作为一名巴赫研究专家的资历。

2)N-PLURALSomeone's credentials are a letter or certificate that proves their identity or qualifications. (身份或资格的) 证明文件

The new ambassador to Lebanon has presented his credentials to the president. 
驻黎巴嫩新任大使已经向总统呈递了国书。

"After years of increasingly severe data breaches[信息泄露] and password credential theft[密码信息被盗], now is the time for service providers to end their dependency on vulnerable passwords and one-time-passcodes and adopt phishing-resistant FIDO Authentication[4] for all websites and applications," said Brett McDowell, executive director of the FIDO Alliance, one of the bodies pushing the new standard.

[4]FIDO Authentication:(Fast IDentity Online)线上快速身份认证

WebAuthn should also help people use unique login details for each and every service they use, instead of using the same login and password for every site, which many people still do leaving them vulnerable to further attacks if one site is hacked.

The W3C has moved WebAuthn to what's called the "candidate recommendation" stage – the penultimate[倒数第二的] step before it becomes an approved web standard – inviting sites and services to begin implementing it. The web standards body announced that Google, Microsoft and Mozilla had committed to supporting WebAuthn, meaning that all major web browsers short of[除...之外] Apple's Safari will implement the new standard.

"While there are many web security problems and we can't fix them all, relying on passwords is one of the weakest links. With WebAuthn's multi-factor solutions we are eliminating this weak link," said Jaffe.

Several sites and services already use similar methods to log in, including Google and Facebook, which can both be logged into using a USB security key. But a single cross-platform, cross-service standard ratified by[获...的批准] the W3C will mean that many more sites and services will be able to kill the password as the defacto[5] login method.

[5]defacto: 实际上的。其实更常见的是de facto这种写法："De facto is used to indicate that something is a particular thing, even though it was not planned or intended to be that thing. 实际上存在的"

This might be interpreted as a de facto recognition of the republic's independence. 
这也许可解释为对共和国独立存在的认可。

WebAuthn is the culmination of many years of work and the change will not happen overnight. But as it increasingly seems inevitable that our email or other online services will get hacked into, removing the password is an important step in improving online security and making using sites and services easier.

当然，就像任何网络安全一样，研究人员仍会围绕WebAuthn寻找其漏洞。例如最近发现Chrome中的一项称为WebUSB的功能，可能会让黑客窃取用于登录服务的硬件令牌生成的代码。

WebAuthn标准至今已经筹备了3年多，相信在未来一两年内将很快实现用指纹识别登录你的邮箱。

中文来源：wttech.org

英文来源：The Guardian