Authentication has made significant progress over the past five years. It has matured beyond passwords with the introduction of a variety of two-factor authentication methods, and most recently, we have the advent of passwordless logins with WebAuthn, the new global standard for web authentication.
WebAuthn now sets a new bar for user authentication and is considered best in class for protecting user accounts. With support in all major browsers and platforms, WebAuthn offers the opportunity for services to easily offer a wide choice of strong authentication methods to users, including a passwordless experience. This consists of using security keys or built-in authenticators such as biometric readers.
To experience the WebAuthn login experience, please take a look at our demo site where you can try out registering different authentication methods using WebAuthn.
For those curious about the additional benefits of passwordless login, we put together a list of five reasons to upgrade to WebAuthn authentication.
One of the key differentiators of WebAuthn is the widespread acceptance and adoption of the technology across major browsers, operating systems and devices. To date, Microsoft Edge, Mozilla Firefox, Google Chrome and Google Android have already added support for WebAuthn, and Apple most recently announced WebAuthn support by default in Safari Technology Preview Release 83.
Additionally, the growing availability of built-in authenticators on computers and phones is providing users new options for authentication. As a service provider, this enables you to offer fast, convenient, and secure authentication options for all types of users, regardless of what kind of device or operating system they are using.
Improved Security for Customers & the Business
WebAuthn replaces weak password-based login or knowledge-based answer recovery with strong public key cryptography with origin checking to prevent phishing. By making strong authentication the baseline for using built-in and external hardware authenticators, users are protected from account takeovers. A recent study by Google reviewed more than 350,000 wide-scale and targeted attacks, and showed that security keys were the most effective at stopping account takeovers. Not only does the elimination of password-based login protect customers from the threats of credential theft and phishing, but it also relieves your organization from the vulnerabilities associated with storing and protecting millions of user credentials.
Improved Customer Experience & Brand Loyalty
The average US consumer tries to keep track of over 14 different passwords across all their websites and services. Business users are estimated to be responsible for memorizing and using an even greater number of passwords, reaching up to as many as 191. The sheer number of passwords required for daily digital activities inevitably results in forgotten passwords, password resets, or at the worst, account takeovers due to weak or reused passwords. As a result, passwords degrade customer experiences, reduce brand loyalty, and contribute to lost revenue.
Passwordless login with WebAuthn provides an experience that is faster and more secure than usernames and passwords, transforming the online user experience into the familiar split-second convenience of using an ATM card. WebAuthn also enables users lacking cellular access to still authenticate when they typically might not be able to with authentication methods like one-time codes sent to mobile devices via text messages.
Lower Operational Costs
When users forget their passwords, they often end up calling help desks or support centers, consuming valuable time from support staff. In fact, Gartner estimates that password reset inquiries account for 20 to 50 percent of all help desk calls, which can cost large companies between $5 million and $20 million annually.
WebAuthn enables support and IT departments – including service desks and call centers — to be free from the operational overhead incurred from having to create, store, cycle, and reset passwords. It can simplify user on-boarding and given that password resets currently represent the number one IT support cost, passwordless login promises to significantly reduce workloads in IT call centers where agents today spend considerable time setting and resetting user passwords.
Simple & Flexible Integration Options
WebAuthn introduces the option for strong single-factor, two-factor, or multi-factor authentication. With this expanded choice of authentication flows, developers choosing to add WebAuthn support will have the option to select the authentication model that best suits their use cases and customers. This is specifically useful for organizations who require a higher level of authentication security or who may prefer a layered approach (ex: a PIN, biometric or gesture for additional protection) for certain in-app actions like changing a personal information or transferring a large sum of money.
WebAuthn is also backwards-compatible with FIDO U2F authenticators for a second factor use case. This means that all previously certified FIDO U2F security keys, such as the YubiKey 4 or YubiKey NEO, will continue to work as a form of second-factor authentication login with WebAuthn-enabled authentication flows.
To learn more about the WebAuthn open standard and how it can benefit your organization, read our ‘Going Passwordless’ whitepaper. We also offer full development resources on our developer site to enable rapid WebAuthn implementations.