A new web standard is expected to kill passwords, meaning users will no longer have to remember difficult logins for each and every website or service they use.
一種新的網(wǎng)絡(luò)標(biāo)準(zhǔn)或?qū)⒔K結(jié)密碼的使用,用戶不再需要記住登錄每個(gè)網(wǎng)站和個(gè)人設(shè)備的賬號(hào)信息。
The Web Authentication (WebAuthn) standard is designed to replace the password with biometrics and devices that users already own, such as a security key, a smartphone, a fingerprint scanner or webcam.
這種“網(wǎng)絡(luò)認(rèn)證”標(biāo)準(zhǔn)旨在使用生物識(shí)別和用戶已有的設(shè)備替代密碼,比如安全密鑰、智能手機(jī)、指紋掃描儀和網(wǎng)絡(luò)攝像頭。
Instead of having to remember an increasingly long string of characters, users can authenticate their login with their body or something they have in their possession, communicating directly with the website via Bluetooth, USB or NFC.
用戶無需再記憶越來越冗長的密碼,而可以使用身體特征或者已有設(shè)備認(rèn)證其登錄信息,通過藍(lán)牙、USB接口或近場通信技術(shù)直接完成在線身份認(rèn)證。
“WebAuthn will change the way that people access the Web,” said Jeff Jaffe, chief executive of the World Wide Web Consortium (W3C), the body that controls web standards.
網(wǎng)絡(luò)標(biāo)準(zhǔn)機(jī)構(gòu)萬維網(wǎng)聯(lián)盟的董事長杰夫-賈福爾說:“網(wǎng)絡(luò)認(rèn)證能改變?nèi)藗兊纳暇W(wǎng)方式。”
One example of how WebAuthn will work is that when a user visits a site they want to log into, they input a user name and then get an alert on their smartphone. Tapping on the alert on their phone then logs them into the website without the need for a password.
舉個(gè)例子,如果一名用戶想用電腦登錄訪問一家網(wǎng)站,他們可以輸入用戶名,之后就會(huì)在智能手機(jī)上收到提示。點(diǎn)擊手機(jī)上的提示信息就可以順利登錄網(wǎng)站,無需輸入密碼。
WebAuthn promises to protect users against phishing attacks and the use of stolen credentials as there will be nothing to steal, the authentication token is generated and used once by their specific device each time the user logs in.
“網(wǎng)絡(luò)認(rèn)證”標(biāo)準(zhǔn)將使用戶無需擔(dān)心受到網(wǎng)絡(luò)釣魚攻擊,也不用擔(dān)心認(rèn)證信息被盜用,因?yàn)楸旧砭蜎]什么可偷的。每次用戶登錄網(wǎng)站,都會(huì)生成特定設(shè)備才可使用的一次性身份認(rèn)證指令。
“After years of increasingly severe data breaches and password credential theft, now is the time for service providers to end their dependency on vulnerable passwords and one-time-passcodes and adopt phishing-resistant FIDO Authentication for all websites and applications,” said Brett McDowell, executive director of the FIDO Alliance, one of the bodies pushing the new standard.
推動(dòng)新標(biāo)準(zhǔn)實(shí)行的機(jī)構(gòu)之一FIDO聯(lián)盟(線上快速身份認(rèn)證聯(lián)盟)的執(zhí)行董事布雷特-麥克道爾說:“這些年來數(shù)據(jù)泄露和密碼信息被盜的情況越來越嚴(yán)重,現(xiàn)在服務(wù)提供商是時(shí)候結(jié)束他們對(duì)易受攻擊的密碼和一次性密碼的依賴,并在所有網(wǎng)站和應(yīng)用中使用可防止網(wǎng)絡(luò)釣魚的線上快速身份認(rèn)證了。”
WebAuthn should also help people use unique login details for each and every service they use, instead of using the same login and password for every site, which many people still do leaving them vulnerable to further attacks if one site is hacked.
“網(wǎng)絡(luò)認(rèn)證”標(biāo)準(zhǔn)還幫助人們?yōu)槊總€(gè)設(shè)備使用獨(dú)一無二的登錄信息,而不是針對(duì)每個(gè)網(wǎng)站都使用相同的登錄名和密碼。如果其中一個(gè)網(wǎng)站被黑,很多用戶的登錄名和密碼都可能遭到進(jìn)一步攻擊。
The W3C has moved WebAuthn to what’s called the “candidate recommendation” stage – the penultimate step before it becomes an approved web standard – inviting sites and services to begin implementing it. The web standards body announced that Google, Microsoft and Mozilla had committed to supporting WebAuthn, meaning that all major web browsers short of Apple’s Safari will implement the new standard.
萬維網(wǎng)聯(lián)盟已將“網(wǎng)絡(luò)認(rèn)證”標(biāo)準(zhǔn)列入“候選推薦”階段,這是互聯(lián)網(wǎng)標(biāo)準(zhǔn)最終獲得認(rèn)可、邀請(qǐng)網(wǎng)站和設(shè)備開始應(yīng)用之前的倒數(shù)第二個(gè)階段。萬維網(wǎng)聯(lián)盟宣布,谷歌、微軟和摩斯拉(火狐)已決心致力于支持這一標(biāo)準(zhǔn),這意味著除了蘋果公司的Safari瀏覽器外,所有的主流瀏覽器都將實(shí)施這一新標(biāo)準(zhǔn)。
“While there are many web security problems and we can’t fix them all, relying on passwords is one of the weakest links. With WebAuthn’s multi-factor solutions we are eliminating this weak link,” said Jaffe.
賈福爾說:“盡管互聯(lián)網(wǎng)安全存在諸多問題,我們也無法全部解決,但依賴密碼是其中最薄弱的環(huán)節(jié)。通過網(wǎng)絡(luò)認(rèn)證標(biāo)準(zhǔn)的多因素解決方案,我們將消除這一薄弱環(huán)節(jié)。”
Several sites and services already use similar methods to log in, including Google and Facebook, which can both be logged into using a USB security key. But a single cross-platform, cross-service standard ratified by the W3C will mean that many more sites and services will be able to kill the password as the defacto login method.
已有數(shù)家網(wǎng)站和多種設(shè)備使用類似的登錄方式,谷歌和臉書等網(wǎng)站用戶可以選擇使用USB安全密鑰登錄。但互聯(lián)網(wǎng)聯(lián)盟批準(zhǔn)的單一跨平臺(tái)、跨設(shè)備標(biāo)準(zhǔn)意味著將有越來越多的網(wǎng)站和設(shè)備取消密碼這種實(shí)際登錄辦法。
WebAuthn is the culmination of many years of work and the change will not happen overnight. But as it increasingly seems inevitable that our email or other online services will get hacked into, removing the password is an important step in improving online security and making using sites and services easier.
“網(wǎng)絡(luò)認(rèn)證”標(biāo)準(zhǔn)是數(shù)年成就積累的頂峰,這種改變并非一蹴而就。但隨著電子郵件和其他網(wǎng)絡(luò)服務(wù)被黑客入侵越發(fā)不可避免,消除密碼是提升網(wǎng)絡(luò)安全、讓網(wǎng)站和設(shè)備使用更加便捷的重要一步。