How to Use WebAuthn for Stronger Authentication on the Web
How to Use WebAuthn for Stronger Authentication on the Web
Web Authentication (WebAuthn) APIs promise to make security on the web easier for users, developers, and administrators by eliminating passwords and their many security limitations. Users can stop dealing with complex, hard-to-remember passwords. Businesses can stop protecting password databases and implement more robust authentication techniques.
This overview of WebAuthn will explain how this industry standard works, its advantages over other authentication approaches, and some of the challenges WebAuthn still faces on the path to adoption.
The World Wide Web Consortium (W3C) created WebAuthn to address a fundamental challenge to online security: passwords. Software-as-a-Service and other web applications rely on passwords to authenticate users and protect access to user data. However, the combination of human nature and poor information security hygiene makes passwords a common vector for cyberattacks.
Multi-factor authentication (MFA) is one solution to this problem. Rather than relying solely on a password, MFA adds at least one more security check, such as a biometric scanner.
Traditional enterprise security models can enforce MFA by issuing company-managed devices and security keys. BYOD and other trends, however, make enterprise users look more like the general public. They can access cloud resources from anywhere on any device. Designing an authentication system that covers all possible devices quickly becomes very complex.
Building on work from Google and Yubico, the Fast IDentity Online (FIDO) Alliance created an open standard for authentication with a USB security key. These devices use cryptography and an authentication protocol to create unique credentials that are more secure than passwords.
To push these standards beyond one device class, the FIDO Alliance handed their APIs to the W3C, which published “Web Authentication: An API for accessing Public Key Credentials” in 2019. This web authentication API lets companies build passwordless and multi-factor authentication systems that work with any compatible browser, device, and authentication method.
From the end user’s perspective, the WebAuthn experience isn’t much different from what they do now. In most consumer applications, the user associates their device with a web service during account creation and then uses their device’s authentication system to log in. Enterprises can implement more thorough registration and authentication methods.
Technological advances have let manufacturers embed powerful cryptoprocessors in their products. These embedded security chips create a protected environment for the generation of public-private cryptographic key pairs and the secure storage of private keys. Cryptoprocessors in modern computers and smartphones, such as Apple’s Secure Enclave and the PC industry’s Trusted Platform Module (TPM), serve as platform authenticators. Among other benefits, these security modules centrally manage cryptographic credentials.
Of the three authentication categories — knowledge, possession, and inherence — knowledge is the easiest to compromise. WebAuthn’s APIs make it easier to implement the other two factors.
Possession factors include TOTP generators such as an authenticator app or a USB security fob. High-security environments might also use security cards or other devices that users carry.
Inherence factors use biometrics to recognize physical aspects of the user. For example, iPhones use either TouchID or FaceID to recognize a user. Secure environments may use retinal scanners to control access.
During registration, authenticators on user devices generate public key credentials and send them to the site’s web servers. Since the public key credential ID ties the device to the web service, nobody else can use it.
A trust on first use (TOFU) approach is appropriate for low-risk public web services and enterprise applications that do not require identity verification. When users arrive at a WebAuthn-enabled account creation page, the registration process will follow these steps:
- Web server sends an account creation page to the browser.
- Browser displays the page and runs the WebAuthn Relying Party script.
- Relying Party script sends a message to the user’s browser.
- Browser connects to an authenticator, such as a fingerprint reader, on the user’s device.
- User performs an action appropriate to the authenticator, such as swiping a fingerprint reader.
- Authenticator generates a cryptographic public-private key pair and sends a response, including the public key, to the browser.
- Browser gives the public key credential to the Relying Party script.
- Relying Party script forwards the public key credential to the web server.
- Web server records the public key credential in the user’s account.
Financial websites or enterprise resources need more options to protect their sensitive data. An out-of-band identity verification process or the registration of multiple WebAuthn authenticators would improve security.
In the case of low-risk applications, a simple WebAuthn authentication process follows these steps:
- Web server sends a login page to the browser
- Browser displays page and runs the WebAuthn Relying Party script.
- User enters their username in the web form.
- Relying Party script asks the browser for an authentication assertion.
- Browser connects to the authenticator.
- User takes actions appropriate to the authenticator.
- Authenticator responds to the browser.
- Browser sends the assertion to the Relying Party script.
- Relying Party script forwards the assertion to the web server.
- Web server verifies the assertion with the user’s public key and authenticates the user.
To provide access to enterprise applications and other sensitive resources, companies can use WebAuthn to implement MFA. For example, a web service could require a fingerprint scan on a second device after users enter a temporary one-time password generated on their laptop.
WebAuthn’s standards take much of the complexity out of online authentication, making strong security more straightforward for users and developers alike. As a result, WebAuthn’s adoption delivers three core benefits:
Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari, and other popular web browsers support WebAuthn. In addition, modern smartphones and computers include the hardware needed to generate WebAuthn’s cryptographic key pairs.
Consumers and business users benefit from having WebAuthn support on the personal or business devices they use every day.
Businesses also benefit from WebAuthn’s cross-platform support. The standard’s APIs allow authentication through various devices and authenticators without needing customized development. In most cases, companies can be confident that people with web access have technology that supports strong authentication.
WebAuthn removes many of the hassles that strong password security imposes on users. They don’t have to create or remember complex passwords that expire every few months. Consumers get a better sense of security when doing business online. Business users can use the same authentication process across their company’s web apps.
Enterprise benefits from a streamlined user experience include reducing a common reason for help desk calls — forgotten passwords. For consumer-facing web apps, WebAuthn’s passwordless logins lower abandonment rates during registration and improve customer retention.
Weak, recycled passwords have become a thing of the past. WebAuthn creates stronger credentials by taking human nature out of the security equation. Cryptographic credentials that pair an authenticator with a web service are inherently difficult to hack.
By going passwordless, companies do not need to store — or protect — shared secrets because WebAuthn pushes authentication to edge devices. Each authenticator’s private key credentials stay on the device. Only the public key gets shared.
WebAuthn lets companies require multi-factor authentication without a bespoke solution’s development and maintenance burden. Using the right API call is all it takes. And by making MFA easier to use, WebAuthn improves user compliance with strong security practices.
WebAuthn’s simplicity, ubiquity, and security offer significant improvements over other authentication methods.
Passwords - Since people cannot remember complex passwords, they form all sorts of bad security habits. An analysis of 1.7 billion credentials stolen in 2021 found that nearly two-thirds of victims used the same password across multiple accounts.
When hackers can’t buy the passwords they need, they can always phish for them. Social engineering techniques are so effective that a recent study found emails account for 90% of initial attacks, driving a 46% increase in phishing attacks in 2021.
One-time passwords (OTPs) - An easy way to implement MFA is by sending users one-time passwords via SMS messaging or email. However, OTPs can make websites less secure. The same social engineering attacks that let hackers steal passwords can open access to a person’s email and mobile accounts allowing them to intercept OTPs and access the protected account.
Published three years ago, WebAuthn is still a relatively new standard. Platform and hardware developers quickly added WebAuthn compatibility to their operating systems, browsers, and authenticators. Despite this early effort, WebAuthn is not as universal or complete as it first appears.
Manufacturers of client devices do not implement security features the same way. Inexpensive Android devices, for example, may not have biometric sensors. Computers running Windows, especially consumer models, often shipped without TPM or with their TPM disabled. Microsoft addresses this by making TPM 2.0 a Windows 11 requirement, but it will take time for this to make a difference. A year after its launch, Windows 11 is only 23% of the Windows installed base.
As the number of exceptions grows, implementing a consistent WebAuthn solution becomes more complicated. Companies that want stronger authentication must design solutions that address the capabilities of any devices that access their web services.
WebAuthn registration creates a credential that links a web service with a device’s authenticator. However, this credential does not include the user’s identity. When a user tries to access the service from a different device or another authenticator on the original device, the WebAuthn authentication process fails. Moreover, the standard does not provide a recovery method should a user lose their device.
One solution is to create separate credentials for all devices and authenticators during the registration process. This approach is appropriate for onboarding new employees when they and their devices are on-premises. Multi-device registration makes less sense for consumers, contractors, and remote users. Another out-of-band solution would be to let a user register a new device after verification through the original device.
Several proposals would refine WebAuthn’s specifications to address these usability issues. Apple, for example, is turning its iCloud Keychain into a proprietary credential manager that would share WebAuthn credentials across a user’s Apple products. The FIDO Alliance has proposed platform-agnostic standards to let WebAuthn create multi-device credentials and use Bluetooth to turn smartphones into roaming authenticators.
These outstanding compatibility and usability may not be a concern for companies that can impose strict controls over device usage. For companies that must support a wide range of use cases, WebAuthn’s challenges may be too expensive to address. They cannot eliminate their password systems without excluding part of their user base. Rather than developing and maintaining parallel authentication processes, resources may be better spent securing their current password authentication system.
While WebAuthn adoption may not be as advanced as the standard’s promoters hoped, its benefits are compelling. As more websites stop using passwords to verify their users’ identities, online security will improve dramatically. Passwordless authentication that is as easy to implement as it is easy to use would create a seamless experience for people online while boosting their confidence that websites will protect their personal information.