Introduction to WebAuthn: What is it? How Does it Work?
We all use passwords to protect our accounts and data, but wouldn't it be great if there was an easier way? WebAuthn is the global standard for passwordless authentication, reducing the reliance on passwords to log in to accounts via the web.
Today's mainstream authentication methods aren't robust enough to secure the websites and applications containing personal and sensitive data. Account takeover attempts increased by over 79% in 2020 (Consumer Affairs), raising concerns that traditional password use and 2FA are no longer adequate for account protection. During the COVID-19 pandemic, Fintech News reports that phishing attempts had risen by 50%. So how do you prevent password-based attacks? FIDO (Fast Identity Online) is standardizing passwordless authentication systems, including WebAuthn.
In this post, we'll introduce you to WebAuthn, explaining how it works and its benefits for engineers and users.
What is WebAuthn?
WebAuthn is an API built for supported web browsers (Chrome, Firefox, Edge, and Safari), Windows 10, and Android operating systems that enables passwordless authentication between a device and a web application. FIDO's previous version of the WebAuthn protocol was called U2F. U2F stands for Universal Second Factor. The FIDO organizational standard makes passwordless authentication possible by using strong authentication methods, such as biometrics and security keys.
WebAuthn was standardized by the World Wide Web Consortium. It uses strong, public key cryptography, which allows users to register or log into a website without relying on passwords. This makes credential theft more difficult and eliminates the need to remember multiple usernames and passwords.
Why the move away from passwords? Database breaches, phishing attempts, and account takeovers cost companies billions of dollars, damage reputations, and cause compliance issues. One of the most significant data breaches in history impacted Dropbox, Linkedin, and other big-name organizations when over 2.2 billion records were stolen and released on the web in 2019. Hackers collected usernames and passwords from various databases over a number of years and built a mega database that was freely distributed on hacker forums and torrent sites. (Wired). Utilization of a passwordless solution, like WebAuthn, would have prevented that data breach.
How does it work?
Now that you understand the basics of WebAuthn, let’s dive deeper into how it works. To recap, the most prominent benefit of using WebAuthn is its ability to eliminate passwords for web applications.
The web authentication API (WebAuthn) comprises three components to enable passwordless authentication on a website or application:
- The authenticator creates and stores user credentials. In traditional password authentication, the user memorizes the credentials. WebAuthn requires the credentials to be stored on a device. Generally, the authenticator is stored on a biometric USB device, a security key, or can be embedded into a mobile or laptop operating system. WebAuthn can authenticate users with facial recognition or fingerprint scanning.
- The WebAuthn client/platform is the software that allows the implementation of a WebAuthn API. This could be a web browser, application, or operating system.
- The web server forms the entire application in a WebAuthn setup that authenticates a user, consisting of a backend web server and a single client page in the front end.
To implement the WebAuthn standard, a private key is stored on the local operating system or a security module, such as a biometric USB device (the authenticator). The public key remains on the web server. The public key encrypts the data, while the private key decrypts it. Together, these security keys ensure data is kept secure.
Before using WebAuthn, the user must complete a series of registration steps, often referred to as WebAuthn enrollment. These are the steps required to bind the authenticator device with the web server.
Registering for WebAuthn requires only a few simple step from the user and the API and authenticator do the rest:
- The user initiates the new account enrollment process.
- The web server sends data to bind the WebAuthn client and the user to the credential.
- The WebAuthn API prompts the user to select an authenticator to create a key pair.
- The authenticator stores the public and private keys, but only the public key is sent to the web server.
- The web server validates the authenticator's response and stores the user's data and public key to complete the enrollment.
Once a user has registered their authenticators with a web server, app authentication is possible using WebAuthn as a standalone passwordless solution. Alternatively, users may wish to use a traditional password as a second factor in unison with the WebAuthn standard, but this is not recommended.
The WebAuthn login process looks a little like this:
- The user navigates to a website or web app to initiate their login request.
- Web server sends a request to the browser, prompting the user to select an authentication method.
- Web server sends a challenge to the authenticator, which the user must complete using their fingerprint, their voice, or facial recognition.
- The authenticator decrypts the private key and sends a signature to the web server.
- If the signature is validated against the public key, the user gains access to the system.
WebAuthn is changing how we authenticate with apps and websites by removing user friction—there's nothing more frustrating than remembering endless passwords and finding your mobile device to enter yet another passcode. If you're interested in learning more about WebAuthn, check out the official specs at W3.org. If you're as hyped as we are about this exciting new technology, why not create a free developer account and take our SDKs that support WebAuthn for a spin?
Beyond Identity supports the implementation of WebAuthn and simplifies the complexity of device, browser, and OS compatibility. Get started today.