An Extensive Guide to Web Authentication (WebAuthn) in 2024
In the vast online landscape of the 21st century, security is more important than ever. One of the most innovative ways we are enhancing online security today is through WebAuthn, a cutting-edge standard for secure authentication. Let's dive into the world of WebAuthn, understand its history, benefits, and challenges, and explore how it operates.
Table of content
Table of Contents
In the vast online landscape of the 21st century, security is more important than ever. One of the most innovative ways we are enhancing online security today is through WebAuthn, a cutting-edge standard for secure authentication. Let’s dive into the world of WebAuthn, understand its history, benefits, and challenges, and explore how it operates.
WebAuthn is the abbreviation for Web Authentication, an Application Programming Interface (API) standard that provides passwordless authentication using biometric or device-based authenticators for web applications and systems.
The World Wide Web Consortium (W3C), developed and maintains WebAuthn. It boasts compatibility with popular web browsers such as Chrome, Microsoft Edge, Firefox, Safari, and their mobile counterparts. WebAuthn employs public-key cryptography to manage and verify registered devices and user accounts securely.
Diving into WebAuthn’s Lexicon
Understanding WebAuthn requires familiarity with several terms and acronyms commonly associated with it. These include:
- FIDO: An acronym for “Fast Identity Online,” FIDO is a set of specifications developed by the FIDO Alliance for standardizing secure, passwordless authentication methods.
- FIDO2: The framework within which WebAuthn operates, extending FIDO’s specifications to allow users to authenticate using common mobile and desktop devices.
- CTAP: Short for Client-to-Authenticator Protocol, CTAP is a component of FIDO2 that facilitates communication between browsers, operating systems, and external authenticators.
- MFA and 2FA: Multi-Factor Authentication and Two-Factor Authentication are systems of user verification that require two or more different factors.
- UAF: Standing for Universal Authentication Framework, UAF provides the specifications supporting passwordless authentication options such as a USB, NFC, or Bluetooth.
History of WebAuthn: A Timeline
The journey of WebAuthn began with the establishment of the FIDO Alliance in 2012 by companies such as PayPal, Lenovo, Nok Nok Labs, Validity Sensors, Infineon, and Agnitio. Their goal was to explore and develop passwordless authentication solutions.
In 2014, the Alliance deployed the first FIDO framework for passwordless authentication. This marked the beginning of a new era in online security. Major corporations such as Microsoft and Samsung started integrating FIDO’s protocols into their operating systems.
In 2016, the World Wide Web Consortium (W3C) introduced new standards for web authentication using the FIDO 2 APIs submitted by the Alliance. This led to the official launch of WebAuthn in 2018 by W3C. By March of 2019, WebAuthn became the official web standard for password-free logins, supported by Chrome, Firefox, Microsoft Edge, and Safari.
The Pitfalls of Current Authentication Methods
Despite WebAuthn’s evolution, password-based authentication remains the most common method for user verification. However, it is susceptible to various cyber threats, such as phishing scams, brute force algorithms, and keystroke logging. Users often simplify their passwords for convenience, making their accounts more vulnerable.
Furthermore, the lack of security awareness among employees and other users intensifies these threats. They often fail to recognize phishing scams and inadvertently share their credentials. Additionally, managing numerous password-based accounts can be a daunting task.
Even WebAuthn-supported authentication methods have their drawbacks. For instance, biometric data, if compromised, can lead to severe privacy breaches. Similarly, loss of an external device used for authentication can lead to unauthorized access.
Advantages of Embracing WebAuthn
WebAuthn’s primary advantage lies in its enhanced security, protecting both organizations and individual users from password-based attacks. Its support for a variety of browsers, operating systems, and devices removes restrictions on system use.
WebAuthn offers users a seamless experience, allowing faster logins without a password and multiple authentication options. It also provides businesses with the flexibility to design custom single-factor logins or multi-factor authentications based on the system being accessed.
Furthermore, WebAuthn reduces operational expenses associated with password resets and IT resources spent on managing user credentials.
Overcoming WebAuthn’s Hurdles
Despite its advantages, WebAuthn’s adoption still faces several challenges. Although nearly all types of browsers, operating systems, and devices support WebAuthn, most major web applications do not. And for those that do, it serves as an additional factor of authentication rather than the primary one.
Moreover, implementing WebAuthn requires a considerable shift in user behavior, which may lead to confusion. Also, due to the variety of authentication options, each web application, operating system, and browser will have a unique verification process, which users will need to adapt to.
The Mechanism Behind Web Authentication
WebAuthn uses public-key cryptography. During device registration to a new application or system, the WebAuthn “relying party” prompts the browser to generate a credential. The system then indicates the desired authentication method based on the registered device’s capabilities and user approval.
Upon approval, a private-public key pairing is generated. The private key is assigned to the user, and the public key is sent to the web application’s server for storage. The public key is uniquely paired to the user’s identity based on the information created during the credential-generation process.
User Authentication Process
When a user requests access to their web application account, the server prompts the relying party to start a login “challenge” — giving the browser your credential information, including the authentication method. The user then needs to complete the challenge by fulfilling the authentication method. If the credential (private key) matches the information in the server (public key), the user is granted access to the system.
Example of WebAuthn
A user may wish to create an account with a WebAuthn-supported application such as Gmail and require a second factor of authentication using a YubiKey during login on their iPhone. In this scenario, the registration process would involve creating a credential for the second factor of verification. The server recognizes the YubiKey device in the respective iPhone (private key) as an identifier for the user in relation to the Gmail account (public key).
With the registration complete, each time they re-log into their Gmail, they would enter their username and password and then be prompted to insert the YubiKey in the headphone slot of the iPhone — completing the second factor and passwordless login.
WebAuthn’s Security Properties
WebAuthn’s security relies on three major properties: strong, scoped, and attested. The “strong” property refers to its ability to securely store the private keys necessary for advanced cryptography. The “scoped” property addresses phishing threats, as key pairs must originate from a genuine source. The “attested” property allows servers to verify the source of a public key, ensuring that the public key came from a trusted source.
Best Practices for WebAuthn Implementation
When implementing WebAuthn for your web applications, it’s crucial to prioritize user experience and offer multiple verification methods. Adhering to the API specifications laid out by their engineers and developers will yield the best security results. You should also allocate resources to manage the complexities of switching to this system and assist users in recovering lost authentication tokens and keys.
WebAuthn: A Glimpse into the Future
WebAuthn appears to be paving the way for the future of secure, passwordless authentication. As more systems adopt this standard, users can expect different verification processes and journeys each time they log into their favorite web applications.
Interested in learning more? Book a free demo to see how an all-in-one infrastructure management platform like StrongDM can help manage your authentication requirements.