WebAuthn Capabilities and Limitations
Unless you've been hiding under a rock, as a security-oriented developer or emerging technology enthusiast you'll no doubt have been following the evolving authentication landscape. Most notable is the game-changing introduction of the WebAuthn standard, which has become widely available in the past five years. If you're unfamiliar with what WebAuthn is and how it works, our intro to WebAuthn post explains everything you need to know. In a nutshell, though, WebAuthn is a Web API (for browsers) that allows businesses to implement passwordless authentication for their users.
In the same way password-based MFA increases user friction and has some concerning security vulnerabilities, certain drawbacks accompany the benefits of passwordless authentication. It’s worth considering those issues before implementing the WebAuthn API into your applications. For example, WebAuthn is a Web standard, not a product, meaning the implementation of the API will require medium to heavy lift from developers.
As we outline below, different operating systems and browsers implement FIDO WebAuthn differently, and some do not support WebAuthn at all. As a result, the setup of WebAuthn on a Windows 10 device may vastly differ from the implementation required for an Android device. Not to mention the large number of permutations of browser and operating system creates both additional effort for developers and an inconsistent user experience for customers.
Before you decide WebAuthn is too complex, here are some advantages and points of caution to help you make an informed choice.
Capabilities & Limitations of WebAuthn
First, let's dig into the benefits of authentication using WebAuthn.
Increased security: WebAuthn reduces the likelihood of a breach by using unphishable authentication factors. It does this by using public-key cryptography in place of weak, knowledge-based factors. This means the user is authenticated with their registered physical device (possession factor) and an optional pin or biometric.
The 2022 Verizon Data Breach Investigations Report found that the most popular path attackers used when accessing an organization’s data was through credentials—around 50% of breaches involved stolen or compromised credentials. In second place was phishing, which accounted for almost 20% of breaches (DBIR).
A frictionless login experience: Remembering countless passwords is a chore, especially when you've entered a password only to be greeted with another authentication step. A 2020 report from the Ponemon Institute found that over 55% of users surveyed would prefer an alternative authentication method to using traditional passwords to make their lives easier (Ponemon Institute).
WebAuthn allows you to authenticate users without a password.
General platform support: Another advantage to the WebAuthn standard is its support across all major operating systems and browsers. At the time of writing, WebAuthn is supported on Microsoft Edge, Mozilla Firefox, Safari, Google Chrome, Google Android, and Windows 10. While there is growing support for WebAuthn, each platform delivers a different user experience and differs in which features of WebAuthn they support.
Now that you understand some of the advantages WebAuthn provides, let’s look at the drawbacks.
Compatibility issues: While more browsers are increasing support for WebAuthn, the standard has not yet rolled out support for all modern browsers and operating systems. Currently, WebAuthn is unavailable on Opera, Linux, Internet Explorer, and older versions of all major browsers.
Additionally, even platforms that support WebAuthn may not support all features or present different interfaces to the end-user. As a result, some users will be unable to take advantage of WebAuthn, use all the features it can provide, or they may experience inconsistent user flows across different browsers and operating systems.
Replacing lost authenticators: If a user's registered authentication device is lost, it may be difficult to bind their existing WebAuthn account with a new passkey. A passkey is a multi-device credential that uses public-private key pairs to authenticate. The WebAuthn API intentionally makes it extremely difficult to bind a new key to an existing account for security purposes. Given the friction around recovery, WebAuthn is typically implemented as a second factor in addition to a password, which detracts from the full extent of the security benefits reaped from complete password elimination.
Limited developer support: Developer support for working with the WebAuthn API is thin, offering steps that cover how to create and use a passkey but with limited guidance on how to store them. Likewise, little information is available to explain the developer options for unsupported browsers using the standard.
Lack of risk policy, directory, or integrations with common security tooling: As a standard, FIDO2, and WebAuthn by extension, does not offer a directory and integrations with established identity and security tools including customer identity and access management (CIAM) platforms. This may be a barrier to implementation for some organizations. Additionally, the standard does not have capabilities around access policies based on user and/or device risk.
Lack of device management capabilities: While the WebAuthn API allows developers to integrate passwordless capabilities, it does not specify how FIDO credentials should be handled by the end user. That is, how should a user add, remove, or view registered devices or passkeys associated with individual accounts.
Although WebAuthn implementations may be difficult, the growing adoption of FIDO2 and WebAuthn is a positive move toward a more secure, passwordless future.
If you want to develop your own WebAuthn integration, you can find the API specifications here. If you like the idea of WebAuthn, but want to avoid the complexities of device, browser, and operating system compatibility and have out-of-box directory, integration, device management, and risk policy support, we’ve made it easy with our SDKs.
Get started for free with a developer account today.