When it comes to WebAuthn, there’s certainly no shortage of acronyms or protocols. But what do they mean, and which ones do you need to care about? Fret not – both clarity and help are available! In this blog, we’ll share tips on how to implement WebAuthn, as well as share news about java-webauthn-server library updates and the newest version of Yubico’s WebAuthn Starter Kit.
Where it started
Universal 2nd Factor (U2F), is an open standard for authentication using hardware tokens, such as a YubiKey. This was initially launched back in 2014, under the FIDO Alliance. Yubico was a creator in developing this standard, and YubiKeys were among the first Universal 2nd Factor (U2F) Security Keys available. The standard mainly comprised two parts:
- The FIDO U2F HID Protocol, used to communicate between the host computer (the “client”) and the Security Key (the “authenticator”) over USB or NFC. This was later renamed CTAP1, the Client To Authenticator Protocol.
- The FIDO U2F JavaScript API, used by websites to register and authenticate credentials.
Support for these protocols were added to a few different browsers, and the standard served to demonstrate and prove the concept, but some of the limitations were hindering widespread adoption.
What it became
While U2F was great for increased security and ease of use, there is always room for improvement. The successor to U2F is called FIDO2, and brings in support for a lot of new use cases, such as “passwordless login,” support for PIN and biometrics on-device, and several other extensions. This brought new APIs in the form of CTAP2 to support these new features in the Security Keys, and WebAuthn as a replacement for the FIDO U2F JavaScript API.
WebAuthn fully replaces the older JavaScript API, and is standardized by the W3C and implemented in all the major browsers. Support for the older U2F API has now been phased out, and no longer works in most browsers. This is where WebAuthn comes in- it is fully compatible with both CTAP1 (the U2F protocol) and CTAP2 (the FIDO2 protocol). It’s even possible to continue using old U2F credentials through the WebAuthn API via an extension, meaning users don’t necessarily have to re-register their Security Keys to keep using them. Since WebAuthn is the API most developers will interact with, “WebAuthn” has also become an umbrella term for not just the browser parts, but for the whole end-to-end implementation, from Security Key to server.
How to implement WebAuthn
So far we’ve covered host-to-authenticator communication (CTAP) and web page-to-browser communication (WebAuthn), but we haven’t really looked at the server side yet. The FIDO2 specifications outline step-by-step what a server needs to do to validate a credential, but actual WebAuthn implementation is left as an exercise for the reader. There are several libraries available to help with this, including version 2.0 of Yubico’s java-webauthn-server library, which just launched. The library allows your existing JVM-based backend to add support for WebAuthn and takes care of:
- Creating and reading the binary messages you need to send to the client
- validating cryptographic signatures; and
- enforcing the rules imposed by the specification.
This new library also offers support for the FIDO Metadata Service 3 (FIDO MDS3), which allows you to get metadata about the Security Key a user is using, including the vendor and product name, and so on. While this data isn’t required to implement WebAuthn on the server side, it can be used to enrich the user experience, and should it be needed, to disallow usage of Security Keys with known problems.
If Python is more your style, we’re also releasing version 1.0 of our python-fido2 library. We’ve just published the first Release Candidate (RC1) for 1.0, and plan to have the final version out in about a month’s time. Not only is python-fido2 a WebAuthn server library which is capable of doing a lot of the things that our Java library does, it is also a client library. This means that it also implements the CTAP protocols, allowing you to access FIDO2 functionality outside of a browser, by directly talking to a YubiKey over USB or NFC.
Looking for something a bit lower-level? Try our C library, libfido2, which also has several third party bindings for other languages. This is a client library (again, that means it handles CTAP) which also has some functionality for verifying signatures and attestation. It is used in among other projects, OpenSSH, to allow you to authenticate your SSH sessions with a YubiKey!
WebAuthn Implementation Starter Kit
Additionally, we’re excited to announce the launch of a new version of the WebAuthn Starter Kit, an open source project and reference architecture that aims to guide developers on their journey to enabling Passwordless and Adaptive Multi-Factor Authentication into their applications. This version takes a deeper look at how attestation and the FIDO Metadata Service are used to both prove the validity and identity of a Security Key to a Relying Party, while also providing details about the device itself.
We also discuss the concept of Platform Authenticators as Trusted Devices, which helps to shift the current paradigm of Trusted Devices from being something that is implemented using cookies, or local storage, to instead using a WebAuthn backed credential that is present on popular consumer devices. In this way, the use of Platform Authenticators can serve as a good complement to Security Keys.
The WebAuthn Starter Kit also covers best practices for handling the User Experience for WebAuthn enabled applications. It’s become clear that the different permutations of platforms, browsers, and credential devices can make the transition to WebAuthn overwhelming for users who are used to traditional authentication using username/password. Our implementation aims to deliver greater transparency, and ensure that users understand what action they need to take, when to take it, and when it’s being processed.
Widespread WebAuthn implementation, which can help curb account takeovers from phishing and other modern cyberthreats, will not be persistent unless trust is established with everyday users. It’s (past) time to move from U2F to WebAuthn. Not just because browsers will no longer support U2F, but because WebAuthn enables a bunch of new features as well! We hope some of our libraries can make implementing these standards a bit easier for you, and would love your feedback in making them even better going forward. Lastly, we hope these new releases not only enable further adoption of passwordless, but foster a better understanding of the different parts that make up WebAuthn.
———
To learn more about all things new with WebAuthn and WebAuthn implementation, check out our on-demand webinar, “MFA with WebAuthn: Implementation Updates and the Road Ahead.” Additionally, sign up for our upcoming webinar, “How to enhance your Adaptive MFA strategy using Yubico’s Java WebAuthn Server,” here.
