When it comes to WebAuthn, there’s certainly no shortage of acronyms or protocols. But what do they mean, and which ones do you need to care about? Fret not – both clarity and help are available! In this blog, we’ll share tips on how to implement WebAuthn, as well as share news about java-webauthn-server library updates and the newest version of Yubico’s WebAuthn Starter Kit.
Where it started
Universal 2nd Factor (U2F), is an open standard for authentication using hardware tokens, such as a YubiKey. This was initially launched back in 2014, under the FIDO Alliance. Yubico was a creator in developing this standard, and YubiKeys were among the first Universal 2nd Factor (U2F) Security Keys available. The standard mainly comprised two parts:
- The FIDO U2F HID Protocol, used to communicate between the host computer (the “client”) and the Security Key (the “authenticator”) over USB or NFC. This was later renamed CTAP1, the Client To Authenticator Protocol.
Support for these protocols were added to a few different browsers, and the standard served to demonstrate and prove the concept, but some of the limitations were hindering widespread adoption.
What it became
How to implement WebAuthn
So far we’ve covered host-to-authenticator communication (CTAP) and web page-to-browser communication (WebAuthn), but we haven’t really looked at the server side yet. The FIDO2 specifications outline step-by-step what a server needs to do to validate a credential, but actual WebAuthn implementation is left as an exercise for the reader. There are several libraries available to help with this, including version 2.0 of Yubico’s java-webauthn-server library, which just launched. The library allows your existing JVM-based backend to add support for WebAuthn and takes care of:
- Creating and reading the binary messages you need to send to the client
- validating cryptographic signatures; and
- enforcing the rules imposed by the specification.
This new library also offers support for the FIDO Metadata Service 3 (FIDO MDS3), which allows you to get metadata about the Security Key a user is using, including the vendor and product name, and so on. While this data isn’t required to implement WebAuthn on the server side, it can be used to enrich the user experience, and should it be needed, to disallow usage of Security Keys with known problems.
If Python is more your style, we’re also releasing version 1.0 of our python-fido2 library. We’ve just published the first Release Candidate (RC1) for 1.0, and plan to have the final version out in about a month’s time. Not only is python-fido2 a WebAuthn server library which is capable of doing a lot of the things that our Java library does, it is also a client library. This means that it also implements the CTAP protocols, allowing you to access FIDO2 functionality outside of a browser, by directly talking to a YubiKey over USB or NFC.
Looking for something a bit lower-level? Try our C library, libfido2, which also has several third party bindings for other languages. This is a client library (again, that means it handles CTAP) which also has some functionality for verifying signatures and attestation. It is used in among other projects, OpenSSH, to allow you to authenticate your SSH sessions with a YubiKey!
WebAuthn Implementation Starter Kit
Additionally, we’re excited to announce the launch of a new version of the WebAuthn Starter Kit, an open source project and reference architecture that aims to guide developers on their journey to enabling Passwordless and Adaptive Multi-Factor Authentication into their applications. This version takes a deeper look at how attestation and the FIDO Metadata Service are used to both prove the validity and identity of a Security Key to a Relying Party, while also providing details about the device itself.
We also discuss the concept of Platform Authenticators as Trusted Devices, which helps to shift the current paradigm of Trusted Devices from being something that is implemented using cookies, or local storage, to instead using a WebAuthn backed credential that is present on popular consumer devices. In this way, the use of Platform Authenticators can serve as a good complement to Security Keys.
The WebAuthn Starter Kit also covers best practices for handling the User Experience for WebAuthn enabled applications. It’s become clear that the different permutations of platforms, browsers, and credential devices can make the transition to WebAuthn overwhelming for users who are used to traditional authentication using username/password. Our implementation aims to deliver greater transparency, and ensure that users understand what action they need to take, when to take it, and when it’s being processed.
Widespread WebAuthn implementation, which can help curb account takeovers from phishing and other modern cyberthreats, will not be persistent unless trust is established with everyday users. It’s (past) time to move from U2F to WebAuthn. Not just because browsers will no longer support U2F, but because WebAuthn enables a bunch of new features as well! We hope some of our libraries can make implementing these standards a bit easier for you, and would love your feedback in making them even better going forward. Lastly, we hope these new releases not only enable further adoption of passwordless, but foster a better understanding of the different parts that make up WebAuthn.
To learn more about all things new with WebAuthn and WebAuthn implementation, check out our on-demand webinar, “MFA with WebAuthn: Implementation Updates and the Road Ahead.” Additionally, sign up for our upcoming webinar, “How to enhance your Adaptive MFA strategy using Yubico’s Java WebAuthn Server,” here.