Have you ever dreamed of a password-free future? A new standard called WebAuthn (short for Web Authentication) seeks to deliver just that by using a combination of offline and online authentication that allows internet users to register and authenticate themselves on the web using various authenticators.
The new proposed standard aims high with its goals: to replace the legacy approach of using a username and password for authentication with today’s modern technology.
What Is WebAuthn?
Built on top of two previous FIDO specifications, U2F and UAF, the new WebAuthn standard is a joint effort by the FIDO (Fast Identity Online) Alliance and the World Wide Web Consortium (W3C). WebAuthn is essentially an API that enables the “creation and use of strong, attested, scoped, public key-based credentials by web applications for the purpose of strongly authenticating users,” according to the specification description currently in the Candidate Recommendation stage at W3C. It allows users to register and authenticate with web applications using various authentication form factors such as hardware security keys, smartphones, or Trusted Platform Module (TPM) devices.
What Does WebAuthn Mean for the Regular Web User?
The primary problem of legacy authentication systems currently in use is that they cannot verify the real user’s presence, which as a result has enabled man-in-the-middle attacks. WebAuthn eliminates this possibility by ensuring the real user’s presence via biometrics or other input methods.
Mobile wallets were built from this concept: the user validates their identity by placing a finger on the built-in fingerprint sensor or by looking into the front-facing camera and authenticating using Face ID.
Apple has taken this technology one step further with a feature built into macOS called Handoff, which has made Apple Pay on the web possible. If you happened to visit an online store that supports Apple Pay, you could simply pay on the web by using Touch ID on an iPhone. The catch to this was that the authorization was sent to the connected computer via Bluetooth, which is at the core of Handoff.
Tech giants backing FIDO2 and now WebAuthn say that this new standard is similar to Apple’s, but better. Apple’s service is limited to a payment service and its own ecosystem, which currently represents only a fraction of global computer users. By comparison, WebAuthn is currently supported by Microsoft, Google, and Firefox. This means that all users running Windows 10, as well as Chrome, Firefox, and Android smartphone users, will be able to use WebAuthn to register and log in to web services without a password.
How Does WebAuthn Work?
As with every service, users first need to register for WebAuthn. You must know that the registration is hardware based, so you will register either a smartphone, a TPM-equipped computer, or a security key. The credentials created through this API, which are tied to that specific device, rely on cryptographic principles and asymmetric encryption.
When a user registers for the service, an account credential is created for verifying the authenticity of the person. During the registration process a PKI key pair is created: one private key saved on that registered hardware and one public key that is sent to the database.
When a user visits a website and tries to register an account, a prompt will appear on their smartphone asking to register with said website. After accepting the request, the user will be required to perform something called an ‘authorization gesture’, which could be a biometric identification or PIN code. Executing this gesture will result in finalizing the registration process, and no password is required.
What WebAuthn Means for Passwords
WebAuthn seeks to reinforce the presence of the real user at the moment of authentication by requiring this authentication gesture. As biometric sensors become more widely adopted in the mobile industry, it is highly like that this will commonly require fingerprint authorization. But that’s far in the future, since WebAuthn is not yet supported on any smartphone.
In its current form, WebAuthn supports physical security keys such as Yubico’s, which is already integrated with password managers such as LastPass.
The Problem With WebAuthn
In other words, WebAuthn has great potential for eliminating the password and helping users create one strong online identity that is protected by cryptographic techniques, but the support for this standard needs to go beyond just web browsers.
For users to make the most of today’s technology, the WebAuthn standard needs support from business giants such as Facebook and Amazon, and other web apps. The adoption of this new standard among users depends on how such giants react to it and whether they are ready and willing to go through the hassle of redesigning their existing infrastructure to support WebAuthn.
But would you be ready to use it?
Best Password Managers of 2019