Becoming more popular with browsers, operating systems, and devices, WebAuthn is a passwordless API authentication protocol that works within a browser to register, manage, and authenticate users. It doesn’t require a password, is resistant to phishing, and uses two factors in one.
Authenticators Instead of Passwords
From beginning to end, the WebAuthn process involves four things: a user, a WebAuthn-capable browser, an application/service, and an authenticator. Even though they’re not part of the actual protocol, authenticators are needed because WebAuthn eliminates the need for a password and requires an authenticator in its place. Authenticators are located on the user’s device and are either biometric (fingerprints or facial recognition) or part of an external hardware device (such as a Yubi key). They can also be built into a software platform, such as MacOS, Windows, Android, or iOS.
TWO FACTORS IN ONE
WebAuthn eliminates the use of the common password as a single factor but still functions as multi-factor authentication (MFA) because the user has to present “something they are” (biometric ID) and “something they have” (their device).
How It Works
The WebAuthn protocol moves user identities through the browser and across devices without requiring direct communication between the user and the server. For example, when the initial query is sent, it goes to the browser, not the service. In turn, the response to the query goes back to the browser, not the user.
To make this happen, WebAuthn uses a public key from the web application and a private key from the user (biometric or possession-based authenticators in mobile phones, tablets, laptops, etc.). This process also allows users to log into different cloud applications and services with the same identity, eliminating the need to create unique credentials for each one.
Ian opens a browser and begins to log into his university’s website via a WebAuthn-capable browser.
The browser sees that Ian has a registered device andqueries his Mac OS to get his authentication data (private key).
Once Ian’s identity is verified, the browser sets up a secure identity key that allows Ian to be automatically logged onto the university website.
If Ian exits his university website and signs onto another WebAuthn-capable application, the browser can share his identity key under the cover of the Mac OS, allowing other services and devices to identify Ian, not just his university.
Two Keys Are Needed
The WebAuthn protocol uses a public-private keypair to authenticate the user via a WebAuthn-capable browser. The private key (biometrics or external hardware) is stored on the user’s device. The public key is stored in the web application along with a randomly generated, encrypted credential ID.
When a user logs into a web application, the browser asks the user to authenticate themselves using an authenticator, also known as the private key. The user answers this request by activating their biometric ID (fingerprints or facial recognition) or an external hardware device (such as a Yubi key). Using the WebAuthn protocol, the browser tells the service that the user is authenticated and passes along the private key.
Once the private key is approved by the service, it signs the query and sends it back to the browser with a public key. When it arrives back at the browser, the user is authenticated to use the service.
Why WebAuthn Is Good for Your Business
Using WebAuthn provides a streamlined experience for your employees, customers, and other users. Authentication with biometrics or a physical key is superior to using a password as a single key. It ensures a streamlined user experience with less friction than other methods, and it bypasses the risks associated with using a password.
For organizations, WebAuthn offers faster login using different methods, devices, and operating systems. It avoids the risk of password-based cyberattacks and provides resistance to phishing attacks, especially when a biometric authenticator is used. For IT staff, WebAuthn frees up their time to work on other projects and reduces the need for help desk and support.