Table of Contents

What is WebAuthn (Web Authentication)

What is WebAuthn (Web Authentication)

If you spend a lot of time on the internet, you’ll no doubt have countless passwords and usernames. Social media, e-commerce, and email accounts: Everything needs its own password. In the future, however, surfing the internet could be much more convenient for users. The new WebAuthn standard is designed to eliminate the need for remembering passwords, but without compromising the security of sensitive data.


The idea behind WebAuthn (Web Authentication)

The idea behind WebAuthn (Web Authentication)

In the past, the only way to confirm your identity on the internet was by using a combination of your username and password. With user names (in some cases an email address is used instead), a user specifies which account they want to access. A password that only the user knows is then used to confirm their identity.

This procedure has proven to not be very efficient in the past: Since it is very cumbersome, users tend to simplify it on their own by using easy-to-remember character combinations – which can be cracked quickly – or they the same password for every account. To counter this, password managers and multi-factor authentication (MFA) were introduced. But many users don’t take advantage of these measures.

The World Wide Web Consortium (an association of IT companies that regularly publishes standards for the web) realized this and began looking for a solution. Together with the FIDO Alliance (a cooperation of different companies for uniform authentication measures) several measures were developed for the FIDO2 project: In addition to the FIDO Client to Authenticator Protocol (CTAP), a new standard now exists: WebAuthn.

The Web Authentication API (also known as WebAuthn) is a specification written by the W3C and FIDO Alliance, with the participation of Google, Mozilla, Microsoft, Yubico, and others. The API allows servers to register and authenticate users using public key cryptography instead of a password.


 WebAuthn (or Web Authentication) is a uniform authentication option that no longer relies on passwords, but rather on biometric data. Users are able to log into their accounts using fingerprints or facial recognition. Today, many devices (especially smartphones and laptops) are already equipped with the corresponding hardware and software, which makes it a lot easier for users. Alternatively, a hardware token can be used to identify the user. Since users always carry this information with them, they can neither forget it nor pass it on without thinking: With WebAuthn, phishing could be a thing of the past.


Moreover, since users no longer need to create passwords and user names, there is no risk of using the same data for different accounts. The standard ensures that unique login information is available for each user’s account. You only have to register your authenticator (fingerprint, security key, etc.) once with the web service and can then use the convenient log-in.

Since different data is used for each account, there’s no tracking possible across different websites with WebAuthn.

Technical implementation of WebAuthn

Technical implementation of WebAuthn

 WebAuthn will work with any browser. Chrome, Firefox, Safari (partially), and Edge already support the standard. Websites that want to verify the identity of users for log-in purposes access the Web Authentication API in the browser. The respective user only confirms their identity on their own device. For example, by using a fingerprint scanner or connecting their token to a laptop or PC. The sensitive identity data (e.g. the fingerprint) does not leave the device. Only a confirmation from the browser is sent to the web service via public key procedure. The user does not have to enter a password or a user name.

The interface is addressed via JavaScript. This makes it very easy for website operators to implement Web Authentication, and should therefore allow it to be distributed rapidly. If the web service provider wants even more security for its service, WebAuthn and MFA can also be used together. In addition to authentication using biometric data, you can set it so that a password is also required.


Website operators must connect to the Web Authenticator API or implement the correct JavaScript code.

The official W3C recommendation contains more information about server-side implementation.

Why should I use WebAuthn (Web Authentication)

Why should I use WebAuthn Web Authentication

In contrast to older measures that used a password, WebAuthn offers several advantages for users and website operators alike. The convenience and ease should be enough to entice users: the fact that there is no need to memorize information anymore. This is great news in terms of security: The use of passwords is, after all, only conditionally secure. Either they can be cracked (with brute force or rainbow tables, for example) or the passwords are obtained through phishing. With WebAuthn, there is no way that a password can be passed on by accident.

Since the new standard does not transmit identity data over the internet, a man-in-the-middle attack, in which data is tapped during transmission, won’t be successful. In addition, the authenticity certificate is cryptographically secured by the public key procedure during transfer.

The fact that all sensitive data remains on the user’s device is also an advantage for website operators. Providers of services that require registration currently need to invest a lot of energy and expertise into securing passwords and user names. There could be catastrophic consequences if criminals manage to infiltrate the provider’s databases. Companies that are unable to prevent attacks like these face serious consequences, as well as causing suffering to their users due to this significant data misuse – especially if they use the credentials on other platforms.


Conclusion

Conclusion

WebAuthn offers a higher security standard than older methods and at the same time increases ease when logging in to websites. Web service providers also have to put in less effort with WebAuthn, especially since implementation is comparatively simple.


Was this article helpful?

Please rate & help us to improve our Knowledge Base.

Your Rating: Results: 1 Star2 Star3 Star4 Star5 Star 0 rates