Web Authentication: WebAuthn
Web Authentication Overview
The Web Authentication Application (WebAuthn) Programming Interface (API) is a standard constructed by the World Wide Web Consortium (W3C) and Fast Identity Online (FIDO). With companies such as Microsoft, Mozilla, and Google collaborating, the WebAuthn standard API will permit servers to register and authenticate individuals using public key credentialing and web security.
The WebAuthn API gives monitored access to web applications to end-users using authenticators. These authenticators are typically hardware tokens that are accessed over Universal Serial Bus (USB), Bluetooth Low Energy (BLE), Near-Field Communication (NFC) or other modules that are constructed within a platform (like fingerprint scanners).
Authenticators are tools that create private/public key pairs and define consent criteria. Consent for signing can be authorized using a physical tap, a validated fingerprint reading, or with alternative methods if they conform to FIDO2 specifications. WebAuthn’s purpose for these authentication methods is to generate and subsequently challenge public-key credentials.
This API allows for a few different uses, like:
- Good usability (low friction) and phishing-resistant Two-Factor Authentication (2FA), used together with a password
- Account/Identity verification using a biometric system that is passwordless
- Phishing-resistant 2FA and low-friction for passwordless accounts
What Does Web Authentication Do?
WebAuthn will add a new standard to the Credential Management API as well a new sort of credential, known as PublicKeyCredential. The WebAuthn API will reduce and simplify the communication between an authenticator and a web browser, allowing a given user to do one of two things:
1. Use a given website to create a public key credential that’s specific to that website and then to register it afterward.
2. Use the same website to authenticate to it through the proof of possession of the proper private key to match the website’s public key.
The WebAuthn API will soon be fully implemented by many of the more prominent browsers. Once it’s implemented, it should reduce the complexity in the user interface (UI) presented whenever a user verifies their online identity and it should drastically cut down on successful phishing incidents.
How Web Authentication Works: WebAuthn
WebAuthn depends on three specific characteristics:
- Powerful Cryptography: Authentication will utilize a Hardware Security Module as its backbone. This module can securely store private keys and carry out all cryptographic operations that WebAuthn requires.
- Application Scope: A private-public key pair can only be used with specific applications or web elements, such as a browser cookie. A key pair that has already been registered with “webauthn.overview” cannot be taken over and then used at “webauthn.services.” This dramatically reduces the threat of phishing attempts.
- Attestation: Authenticators can certify and attest for certain information, which can permit servers to validate public keys. This validates that the public key came from a trusted source, as against coming from an unauthorized or unrecognized source.
WebAuthn Credential Registration
With traditional password-based user registration, servers send a form to users requesting a username and password that will be unique to the new account being created. Once entered and registered, the password is stored within the server’s database.
In the case of WebAuthn, data supplied by a server links a user to a specific private-public keypair credential. Included in this data are identifiers regarding the user and the organization being accessed, making the server a relying party. The website being accessed would operate through the WebAuthn API to alert the user that a new keypair must be created. To eliminate attempts at replay attacks, the WebAuthn API requires that servers use randomly generated strings as challenges that can only be overcome with the correct private key.
WebAuthn Credential Authentication
Once registration is complete, the user can authenticate themselves in future attempts to access the intended application or resource. In the authentication process, an assertion is constructed. This assertion serves as a form of proof that a user possesses the private key. Within the assertion is a signature that is created with the same private key. To authenticate this assertion’s signature, the server assesses the public key that was retrieved during the registration process.
Uses for Web Authentication
Web Authentication is a powerful weapon against the web’s largest and most pervasive security issue: phishing. Over 80% of 2018’s account hacks and account take-overs were caused by exploiting weak or stolen user passwords.
In the recent past, the web industry responding to phishing attempts with multi-factor authentication (MFA), but it only met limited success due to fragmentation problems and due to not directly attacking core weaknesses with phishing campaigns. Google, Microsoft, and other companies have been working with the FIDO Alliance and with the W3C to implement the WebAuthn API on the majority of browsers within the near future.
The WebAuthn API will permit servers to work together with the powerfully secure authenticators that are already built into certain platforms, such as Google Sign-In or Apple’s Touch ID. Rather than using a traditional password, a credential (private-public key pair) is made for a specific website. The user’s device will use a security system to store the private key, while the public key and the credential ID (randomly generated on each use) is stored with the server. When a user wants to access a website or feature that requires authentication, the servers will use randomly generated information as challenges that must be responded to with the unique private key that will establish the user’s identity.
With the WebAuthn API, there aren’t any secrets that hackers can exploit by gaining unauthorized access to server databases. Server's public keys won't grant application-access without matching private keys. Once WebAuthn is fully implemented, these servers will only store public keys and randomly generated information, which cannot grant access to applications and secured features with the user’s private key. The implication is that server databases won’t be viewed as effective targets for future hackers, as the public keys and credential information can’t grant them access to the potential victim’s information and accounts.
Ready for the next step?
Provide your good customers with a sleek, speedy and secure login experience. Choose invisible device-based authentication or multifactor methods that adapt based on a perceived threat.