David Maples

Go passwordless with the new Yubico WebAuthn Starter Kit

WebAuthn is the latest open standard for modern online authentication that is highly phishing resistant, combining high security with a simple and easy user experience. With WebAuthn, any web service can integrate strong authentication into applications using support built-in to all leading browsers and platforms. This means that web services can now easily offer users strong authentication with a choice of authenticators such as YubiKey security keys or built-in platform authenticators with biometric readers.

WebAuthn is the first standard to enable strong single factor passwordless (Tap n Go), strong multi-factor passwordless authentication, as well as strong second factor authentication for more secure user access to online accounts.  In the strong multi-factor passwordless authentication scenario, Yubico is presenting passwordless login as YubiKey + PIN  to authenticate, and future YubiKey + Fingerprint with the upcoming YubiKey Bio

With the wide adoption of WebAuthn across OS and browser vendors, WebAuthn has moved to the mainstream for strong authentication, and service providers have taken notice. Yubico is delighted to make the integration experience of WebAuthn easier to implement for architects, developers, and system designers, by providing a fully-fledged, open source, reference architecture in our WebAuthn Starter Kit.

The Yubico WebAuthn Starter Kit provides an example of a WebAuthn-centric architecture featuring an authentication framework which bridges the gap between legacy password-based login and a modern passwordless experience. Not only does the Yubico WebAuthn Starter Kit include code ready to be deployed to any AWS account, but it also includes documentation that covers the application logic, reference implementation details, and best practices around WebAuthn.

Addressing developer pain points

Currently, a developer looking to integrate WebAuthn into their identity provider may have difficulties finding code examples and documentation that explain:

  • Steps on how to adopt WebAuthn and migrate users away from passwords.
  • WebAuthn credential management and lifecycle best practices.

The Yubico WebAuthn Starter Kit helps to address the pain points associated with the transition away from passwords by using a dynamic flow centered on the user’s identity. In an identifier-first flow, a user is automatically guided down the login path enabled by the authenticators they have registered with their account (i.e. YubiKeys, built-in biometric sensors, etc.) using a password only if the authenticator does not support multi-factor, or is not supported by the client (i.e. browser or operating system) they are authenticating with. Validating that the authenticator’s user verification flag matches the expected value on the server-side is a crucial element of the identifier-first flow guidance.

The Kit aims to provide a reference architecture demonstrating the concepts in a practical deployment. The ultimate goal is to provide interested developers with an environment they can stand up for their own use. This environment is designed to resemble authentication frameworks that are in use today, but with WebAuthn incorporated as a cornerstone of a passwordless experience versus a standard two-factor authentication flow.

Leveraging Amazon Web Services (AWS) 

Yubico leveraged the AWS Serverless Application Model to act as a uniform framework for users to deploy personal instances of the Yubico WebAuthn Starter Kit to review. Additionally, a script automating the deployment is also included, streamlining the deployment process and ensuring uniformity. A free AWS account is sufficient for anyone looking to deploy the WebAuthn Starter Kit.

In addition to a backend server hosted on AWS, the Yubico WebAuthn Starter Kit also provides a sample web client as part of a standard deployment, allowing interested parties to share the WebAuthn experience with others in their organization.

Transitioning from passwords to passwordless with WebAuthn

The benefit to passwords is that they are universal — everyone knows how to use them, and everyone has the ability to create their own. The downfall is that passwords are not secure and can be easily hacked, or breached from a server. And while easy to set up, the experience is also sub-optimal, requiring a user to remember hundreds of passwords and periodically change them, often in favor of more complex versions. By contrast, WebAuthn offers a global standard for secure authentication on the web, with the ability to potentially eliminate passwords altogether, across all leading browsers and platforms. This enables a secure and consistent user experience, no matter what device they are on. 

By not requiring unnecessary user interaction, services can automatically guide users down the most secure path and simultaneously support the entire range of authentication options from YubiKey as a 2nd factor with passwords to passwordless.  Ultimately, services can direct users to a WebAuthn passwordless experience when applicable for them, while still supporting users who have not had the opportunity or desire to move beyond their password. This can all be done while maintaining a similar user flow.

Using the Yubico WebAuthn Starter Kit

The Yubico WebAuthn Starter Kit and associated documentation was created with technical audiences in mind. The goal is to address the practical implementation and code-specific questions, as well as provide more theoretical WebAuthn best practices and integration-related advice.

  • Architects and high-level system designers will benefit from having a deployment where individual components are well defined, with the interactions between each element clearly described. Further, the benefits of an identifier-first flow, bridging passwords and passwordless experiences, can be observed in practice, bringing clarity on how such a flow can be integrated into existing architectures.
  • UI/UX and client system developers will benefit from an open source client, allowing them to understand both the required connections to a backend system for implementing WebAuthn, as well as the new authentication options for users that WebAuthn enables. Further, the Starter Kit addresses some of the most common concerns for WebAuthn, such as account recovery.
  • Backend and server system developers will have a working WebAuthn server, which implements the entire WebAuthn spec connected to backend logic to handle not only performing WebAuthn interactions, but also backend credential and user management. With a working example to refer to, development can be streamlined across multiple platforms and languages.

Getting the WebAuthn Starter Kit

The Yubico WebAuthn Starter Kit is now in early access and we look forward to your feedback. It can be downloaded from the Yubico Developer Program Portal after creating a free account.