Becoming more popular with browsers, operating systems, and devices, WebAuthn (or Web Authentication) is a passwordless API authentication protocol that works within a browser to register, manage, and authenticate users. It doesn’t require a password, is resistant to phishing, and uses two factors in one.
WebAuthn was developed to meet the industry’s need to provide users with better and more secure authentication experiences. WebAuthn works in conjunction with the FIDO Client To Authenticator Protocol version 2 (CTAP2) to securely create and retrieve credentials on a security key, which results in seamless authentication experiences.
This open standard is a result of a joint effort between the FIDO Alliance and the World Wide Web Consortium (W3C). First proposed in 2013 as a passwordless authentication solution, it officially became a W3C standard in March 2019.
Since then, it has been widely adopted by many major websites and services including Google, Facebook, and Microsoft, and most major browser vendors, such as Chrome, Firefox, Edge, and Safari, have added WebAuthn support to their browsers.
Benefits of WebAuthn
WebAuthn makes authentication both easier to use and more secure, which benefits both users and service providers. With WebAuthn, user credentials never leave their devices and are not stored on a server, which reduces vulnerabilities to phishing, password theft, and replay attacks.
WebAuthn also provides users with easy registration and sign-on experiences. They can sign on faster by not needing to enter their passwords, can authenticate using a variety of different methods and devices, and are no longer burdened with remembering their passwords and changing them on a regular basis.
Product owners can also decrease their development time using WebAuthn. Developers can implement registration and authentication services using simple calls to the WebAuthn API supported by their browser or platform.
Authenticators Instead of Passwords
From beginning to end, the WebAuthn process involves four things: a user, a WebAuthn-capable browser, an application or service, and an authenticator. Even though they’re not part of the actual protocol, authenticators are needed because WebAuthn requires an authenticator instead of a password. Authenticators are located on the user’s device and are either biometric (fingerprints or facial recognition) or part of an external hardware device (such as a Yubi key). They can also be built into a software platform, such as MacOS, Windows, Android, or iOS. WebAuthn eliminates the use of the common password as a single factor but still functions as multi-factor authentication (MFA) because the user has to present “something they are” (biometric ID) and “something they have” (their device).
TWO FACTORS IN ONE
WebAuthn eliminates the use of the common password as a single factor but still functions as multi-factor authentication (MFA) because the user has to present “something they are” (biometric ID) and “something they have” (their device).
WebAuthn authenticators can include:
Biometric readers and sensors that compare users’ fingerprints, facial biometric patterns, iris patterns, and voiceprints to those stored on the device and allow users access if they match. Our biometrics are unique to each of us so they are difficult to fake.
PIN authentication, which requires a first level of authentication and allows users to set up a PIN. When they return to the application, they’re prompted only to enter the PIN. The PIN is device-specific and will ask users to set up a new one if a new device is detected.
Software authenticators, which are mobile applications that generate time-based one-time passwords (TOTPs) for two-factor authentication. When users sign on to their accounts, they’ll be prompted to enter this code along with their passwords.
How WebAuthn Works
The WebAuthn protocol moves user identities through the browser and across devices without requiring direct communication between the user and the server. For example, when the initial query is sent, it goes to the browser, not the service. In turn, the response to the query goes back to the browser, not the user.
To make this happen, WebAuthn uses a public key from the web application and a private key from the user (biometric or possession-based authenticators in mobile phones, tablets, laptops, etc.). This process also allows users to log into different cloud applications and services with the same identity, eliminating the need to create unique credentials for each one.
Authenticating users without a password is a 6 step process:
Step 1: User goes to browser to initiate login
Step 2: Web server creates a unique challenge that is sent to the authenticator
Step 3: Authenticator receives challenge with domain name of challenge
Step 4: Authenticator receives biometric consent from user
Step 5: Authenticator generates cryptographic signature which is sent back to the web server
Step 6: Web server verifies signature to unique challenge to login user
Let’s take a closer look at how it works:
The user opens a browser window and signs on to the application that they want to access.
The browser verifies the user’s identity and relays the authentication using a private key.
The application sends the public key back to the browser and the user signs on to the application.
A real-life sign-on situation might look something like this:
Ian opens a browser and begins to sign on to his university’s website using a WebAuthn-capable browser.
The browser sees that Ian has a registered device and queries his Mac OS to get his authentication data (private key).
Once Ian’s identity is verified, the browser sets up a secure identity key that allows Ian to be automatically signed on to the university website.
If Ian exits his university website and signs onto another WebAuth-capable application, the browser can share his identity key under the cover of the Mac OS, allowing other services and devices to identify Ian, not just his university.
Two Keys Are Needed
The WebAuthn protocol uses a public-private keypair to authenticate the user via a WebAuthn-capable browser. The private key (biometrics or external hardware) is stored on the user’s device. The public key is stored in the web application along with a randomly generated, encrypted credential ID.
When a user logs into a web application, the browser asks the user to authenticate themselves using an authenticator, also known as the private key. The user answers this request by activating their biometric ID (fingerprints or facial recognition) or an external hardware device (such as a Yubi key). Using the WebAuthn protocol, the browser tells the service that the user is authenticated and passes along the private key.
Biometrics with TPM or TEE/secure enclave
PIN/pattern/passphrase with TPM or TEE/secure enclave
Touch sensor with secure element
PIN and touch sensor with secure element
Once the private key is approved by the service, it signs the query and sends it back to the browser with a public key. When it arrives back at the browser, the user is authenticated to use the service.
Differences between WebAuthn and CTAP2
As previously mentioned, WebAuthn works in conjunction with the CTAP2 to securely create and retrieve credentials on a security key. These two protocols are the building blocks of the FIDO2 authentication protocol.
CTAP2 secures communication between an external authenticator and the application running on a user’s computer or in the browser. However, the browser doesn’t receive the authentication information. Instead, WebAuthn is used to communicate this information to the relaying party, which is the service that actually uses the authentication information, and removes information about the authenticator.
Why WebAuthn Is Good for Your Business
Using WebAuthn provides a streamlined experience for your employees, customers, and other users. Authentication with biometrics or a physical key is superior to using a password as a single key. It ensures a streamlined user experience with less friction than other methods, and it bypasses the risks associated with using a password.
For organizations, WebAuthn offers faster login using different methods, devices, and operating systems. It avoids the risk of password-based cyberattacks and provides resistance to phishing attacks, especially when a biometric authenticator is used. For IT staff, WebAuthn frees up their time to work on other projects and reduces the need for help desk and support.