Javascript is actually
a good thing!
Make sure it's turned on
so that pingidentity.com can work properly.
What is WebAuthn and How Does it Work? | Ping Identity
Identity Fundamentals
Expand All | Collapse All
Identity and Access Management
Identity Providers and Service Providers
Centralized and Decentralized Identity Management
Zero Trust Security
Authentication
Single-factor, Two-factor, and Multi-factor Authentication
Passwordless Authentication
FIDO (Fast Identity Online)
Risk-based Authentication
Certificate-based Authentication
Token-based Authentication
Single Sign-On (SSO)
Federated Identity Management
CHAP Authentication
Continuous Authentication
Authorization
Authorization Methods
User and Account Provisioning
Single Sign-on with a Directory
Dynamic Authorization
Authentication and Authorization Standards
SAML
OAuth
OpenID Connect (OIDC)
Identity Orchestration
Authentication and Authorization Protocols

What Is WebAuthn?


Becoming more popular with browsers, operating systems, and devices, WebAuthn is a passwordless API authentication protocol that works within a browser to register, manage, and authenticate users. It doesn’t require a password, is resistant to phishing, and uses two factors in one.

 

Authenticators Instead of Passwords

From beginning to end, the WebAuthn process involves four things: a user, a WebAuthn-capable browser, an application/service, and an authenticator. Even though they’re not part of the actual protocol, authenticators are needed because WebAuthn eliminates the need for a password and requires an authenticator in its place. Authenticators are located on the user’s device and are either biometric (fingerprints or facial recognition) or part of an external hardware device (such as a Yubi key). They can also be built into a software platform, such as MacOS, Windows, Android, or iOS.

 

TWO FACTORS IN ONE

WebAuthn eliminates the use of the common password as a single factor but still functions as multi-factor authentication (MFA) because the user has to present “something they are” (biometric ID) and “something they have” (their device).

 

How It Works

The WebAuthn protocol moves user identities through the browser and across devices without requiring direct communication between the user and the server. For example, when the initial query is sent, it goes to the browser, not the service. In turn, the response to the query goes back to the browser, not the user.  

 

A graphic depicts the flow of WebAuthn: The user submits an initial query to the browser; the browser relays the initial query with proof of authentication via a private key; and the application responds to the initial query and sends the public key back to the browser.

 

To make this happen, WebAuthn uses a public key from the web application and a private key from the user (biometric or possession-based authenticators in mobile phones, tablets, laptops, etc.). This process also allows users to log into different cloud applications and services with the same identity, eliminating the need to create unique credentials for each one.

 

EXAMPLE

  1. Ian opens a browser and begins to log into his university’s website via a WebAuthn-capable browser.

     

  2. The browser sees that Ian has a registered device andqueries his Mac OS to get his authentication data (private key).  

     

  3. Once Ian’s identity is verified, the browser sets up a secure identity key that allows Ian to be automatically logged onto the university website.

     

  4. If Ian exits his university website and signs onto another WebAuthn-capable application, the browser can share his identity key under the cover of the Mac OS, allowing other services and devices to identify Ian, not just his university.

 

 

Two Keys Are Needed

The WebAuthn protocol uses a public-private keypair to authenticate the user via a WebAuthn-capable browser. The private key (biometrics or external hardware) is stored on the user’s device. The public key is stored in the web application along with a randomly generated, encrypted credential ID.

 

PRIVATE KEY

When a user logs into a web application, the browser asks the user to authenticate themselves using an authenticator, also known as the private key. The user answers this request by activating their biometric ID (fingerprints or facial recognition) or an external hardware device (such as a Yubi key). Using the WebAuthn protocol, the browser tells the service that the user is authenticated and passes along the private key. 

 

PUBLIC KEY

Once the private key is approved by the service, it signs the query and sends it back to the browser with a public key. When it arrives back at the browser, the user is authenticated to use the service. 

 

Why WebAuthn Is Good for Your Business

Using WebAuthn provides a streamlined experience for your employees, customers, and other users. Authentication with biometrics or a physical key is superior to using a password as a single key. It ensures a streamlined user experience with less friction than other methods, and it bypasses the risks associated with using a password.

 

For organizations, WebAuthn offers faster login using different methods, devices, and operating systems. It avoids the risk of password-based cyberattacks and provides resistance to phishing attacks, especially when a biometric authenticator is used. For IT staff, WebAuthn frees up their time to work on other projects and reduces the need for help desk and support.

Related Resources

Capability

Multi-factor Authentication Solution

Learn how MFA enables passwordless authentication, prevents data breaches, and improves the user experience.

White paper

The Essential WebAuthn Primer

Learn the benefits WebAuthn provides organizations and users, its relationship with other standards, and how the system works.

Website

Web Authentication: An API for Accessing Public Key Credentials

Read this technical article outlining a specification that defines an API enabling strong authentication.

Start Today

See how Ping can help you deliver secure employee and customer experiences in a rapidly evolving digital world.

Contact Sales

sales@pingidentity.com

+1 877-898-2905

Request a free demo