When Does a Technical Standard Become a Legal Standard of Care?

The Guardian reports us that the World Wide Web Consortium (W3C) is close to adopting a new authentication standard that can replace passwords. This would be some kind of “who you are” (biometric) or “what you have” (token, phone to receive code) method of authentication, rather than a “what you know” password. (I suppose a code sent to your phone is what you know, but you know it only case by case, because you have another communications channel.)

Some web services already work this way, as the article notes – or does in special cases, as when one is logging on from an unrecognized computer.

It seems to me that if this were widely adopted, it would be a serious nuisance, both for the vast majority of websites where one does not need a secure password, and for secure ones where frequency of use teaches us to remember complex passwords – and perhaps the intermediate case where one satisfactorily uses a secure password manager like KeyPass..

Once “WebAuthn” (a fine multilingual name…) becomes an international standard, though, will it be negligent for websites not to use it, even for not-particularly-confidential content? Or will it be enough if they make it an option for users, so the negligence moves to the user if his/her/its authentication method is hacked and losses follow? Would they have to give a clear explanation of the risks of not using it, so the users can’t say they did not realize the risk they were “voluntarily” assuming?

First-year torts profs, please copy…


  1. David Collier-Brown

    Oh ye gods and godesses, W3C has refused to listen to the security community _again!_

    Looking at the claims in the press release, their purported inclusion of biometrics as “something you have” in two-factor authentication is a famous (or perhaps infamous) mistake. Biometrics are “who you are”, and are the public “user name” part of two-factor, not the secret “what you know” part that is currently being (poorly) fulfilled with passwords. The security community spoke out against it when the PHBs at laptop vendors and Apple first released fingerprint readers.

    Will it be negligent to not use a formally incorrect standard? Can a technical standard be honored by a court when the persons proposing have been called out as incompetent, not for the first time?