The Web Authentication API, commonly called WebAuthn, is an extension of the Credential Management API – an attempt to formalize the interaction between websites and web browsers when exchanging user credentials. WebAuthn is a new global W3C secure web authentication standard supported by all leading platforms and browsers. It uses public key cryptography to enable strong authentication, passwordless web authentication, and phishing-resistant second-factor authentication (2FA).
Web Authentication Definition
By being built directly into common web browsers, the Web Authentication (or simply WebAuthn) standard enables users of authenticator devices such as phones, hardware security keys, or other devices containing a TPM (Trusted Platform Module), to register them with web applications and services for strong authentication.
Once registered, the aforementioned devices can serve as proxies for user verification, allowing users to instead provide biometric information or present an associated hardware device, in order to confirm user presence and essentially replace traditional passwords. A classic web authentication example is the hardware security token created by Yubico, called theYubiKey. When the YubiKey is selected as the web authentication tool of choice, users can authenticate via WebAuthn through a USB or NFC interface, and have peace of mind that their credentials will not be phishable since the hardware must be physically presented, in order to authenticate to a registered account or service.
The overarching concept is to enable applications and services (commonly referred to as Relying Parties (RPs), to store only public keys, but integrate seamlessly with authenticators that in turn, store only private keys. This is noteworthy because by storing only public keys, the potential threat of attackers compromising user accounts in the event of an RP data breach is essentially null, and users are able to retain full agency of their data. Without going into too much detail here (see below for more information), public and private keys together share a special mathematical property which correlates them, and although unique individually, can only be used to verify the other. Besides the YubiKey, other widely used WebAuthn authenticators include most modern smartphones as already mentioned, but also Windows Hello and Apple’s Touch ID.
Web Authentication FAQs
How Does WebAuthn Work?
WebAuthn is an application programming interface (API) that simplifies integration for web services and other users by integrating strong authentication with built-in support and applications native to leading browsers and platforms. This enables web services to offer strong authentication, and for users to select their authenticator, including roaming authenticators such as security keys or biometric readers and platform authenticators such as any mechanism integrated directly into laptops or mobile devices.
WebAuthn allows servers and authenticators from different vendors and of different types, such as the YubiKey, other hardware security tokens, Apple’s Touch ID, a smart phone, and Windows Hello to all integrate and operate interchangeably within the broader ecosystem. This works because all of the mentioned devices are able to securely house the private key, and when requested, create a digital assertion that demonstrates possession of said private key.
Moreover, the entire end-to-end WebAuthn process can actually be divided into two sub-processes, one pertaining to registration and the other authentication. During the registration process, the RP sends out an initial challenge to the user agent, which is normally a browser or the operating system. A connected authenticator (either roaming or platform) generates a unique private key and signs the challenge, which the user agent then sends back to the RP along with the corresponding public key, plus an identifier for the public key (credential ID) for storage. The RP sends out a new challenge when the user wants to subsequently authenticate with that same credential ID during the authentication process, and the authenticator must sign the challenge with the original private key. Once the system verifies that the user is in possession of the previously registered private key by decrypting signed assertions against the public key, the process is complete and access is granted.
Common Web Authentication Protocols
An understanding of several related or dependent protocols is critical to comprehending how WebAuthn works holistically:
FIDO. FIDO is the acronym for Fast Identity Online, a set of specifications and the web authentication framework created by the FIDO Alliance for standardizing high-security, web authentication methods and strong authenticators using public key cryptography as a second factor. It is sometimes even referred to as FIDO U2F, or FIDO Universal 2nd Factor.
FIDO2. FIDO2 extends the original FIDO specifications, encompassing WebAuthn, allowing users to authenticate using common desktop and mobile devices, notably with the added possibility of passwordless – a feature lacking from its predecessor FIDO U2F. Logically, FIDO2 can be thought of as a combination of both WebAuthn and CTAP2.
CTAP. Sometimes even referred to as CTAP1, or Client to Authenticator (version 1), enables roaming devices an interface into a client platform using Near Field Communication (NFC), USB, or Bluetooth. It enables FIDO U2F based hardware devices to communicate with operating systems and browsers.
CTAP2. CTAP2 (Client to Authentication version 2) allows for passwordless, multi-factor authentication (MFA) by extending CTAP, adding agency to authenticators to communicate directly with relying parties without needing a client platform. Note that an authenticator that implements CTAP2 is sometimes called a FIDO2 authenticator, and if that authenticator also implements CTAP1/U2F as well, it can be denoted as backward compatible.
Why Use WebAuthn?
The classic username and password authentication scheme has been in use for years and remains widely used and popular even today. This is true despite more modern approaches that make use of strong authentication mechanisms, such as certificates and cryptographic hardware tokens, being widely supported for various use cases and applications, both for enterprises and private use.
The typical end user conducts authentication through a web browser. Web browsers have essentially become the nexus between applications and credentials on mobile and desktop—both major platforms. For approaches such as WebAuthn to reach the masses, clearly browsers must support changes to authentication flows, but the web is founded on consensus-driven, incremental change.
This reality drove the formation of the W3C WebAuthn Working Group and its goal to develop a new, interoperable strong authentication specification that all parties can implement.
WebAuthn is the first standard that has enabled strong passwordless single factor authentication, strong second factor authentication, and strong passwordless multi-factor authentication. Yubico offers a passwordless login option in the form of YubiKey + PIN to authenticate in the strong multi-factor passwordless authentication scenario, and the YubiKey Bio even includes the possibility for passwordless using fingerprint.
WebAuthn makes online security simpler because it is supported by all the leading web browsers and platforms, which standardizes the integration of strong authentication into mobile and web applications. There is no need to download extra software or some other form of added support. WebAuthn opens up the possibility of strong authentication by making it both more accessible and customizable, offering users a choice of authenticators such as the YubiKey or any other built-in platform authenticators.
WebAuthn is far more secure than passwords, because it uses asymmetric (public key) cryptography. Yet, it does not add complicated extra steps to authenticate, thus retaining the transitional benefit of the ease passwords traditionally gives users. Overall, WebAuthn offers a secure and consistent user experience across devices through a global standard for secure authentication, and even provides a route toward the possible elimination of passwords altogether in the future.
Why WebAuthn is Important
We currently rely on passwords to secure our social media accounts, bank accounts, medical records, legal files, and other sensitive data—most of our recorded existence.
Yet passwords are highly susceptible to phishing and hacking. When websites are compromised, they are often released or sold to the public, and in fact, weak or stolen passwords have historically caused over 80% of all hacking-related breaches.
Any shared secret such as a password, is vulnerable to the aforementioned attacks. Public key authentication is immune from those weaknesses, and WebAuthn replaces the password with this mechanism, enabling servers to register and authenticate users whilst minimizing the impact of any data breaches.
The universally accepted web authentication standard is a W3C specification jointly developed by Yubico, Google, Mozilla, Microsoft, and others. Web Authentication works together with other industry standards such as FIDO 2.0 Client to Authenticator Protocol 2 (CTAP) and Credential Management.
What are Different Types of Web Authentications?
There are several web authentication types to be aware of:
Some are built into a computer or mobile web authentication platform. In the WebAuthn specification, these are referred to as platform authenticators. For example:
- Biometric reader with a secure element or TPM
- Face/voice recognition or iris reader
- Fingerprint reader
- PIN/passphrase/pattern with a secure element or TPM
Security keys in the WebAuthn specification are referred to as roaming authenticators. For example:
- PIN and secured touch sensor
- Software authenticator
- Secure touch sensor
Both web authentication and authorization are critical to secure applications, but it is important to distinguish between the two terms. Authentication verifies user identity and confirms a user is who they claim to be based on known data. Authorization ensures that an already authenticated user has the right to view certain data and/or perform specific actions. For example, you should only be able to see your own data using a web interface, and not have administrative access unless that is the explicitly defined role.
What are the Advantages of WebAuthn?
There are several reasons to upgrade to WebAuthn and passwordless login in place of users entering passwords.
WebAuthn is widely accessible. Broad adoption and acceptance of the technology across major operating systems, browsers, and devices means that WebAuthn is highly accessible. Thus far, Google Chrome, Mozilla Firefox, and Microsoft Edge support WebAuthn amongst the major browsers, and Google Android, Microsoft Windows and Apple iOS amongst the major operating systems support WebAuthn by default.
The organization and the business enjoy improved security. WebAuthn deploys strong public key cryptography with origin checking in place of weak knowledge-based answer recovery and password-based login. This protects users from phishing, credential theft, and account takeovers, which are major threats to an enterprise.
Enhanced customer experience fosters brand loyalty. The average consumer in the US must manage more than a dozen different passwords across services and websites, and for some business users, this number might be almost 200. Passwords may degrade customer experiences, and may contribute to reduced brand loyalty, leading to lost revenue. WebAuthn enables passwordless login and a faster, more secure experience..
Reduce operational costs across the board. As fewer users need help desk and support center time logging in with password reset inquiries, companies save money and increase productivity. WebAuthn enables IT and support departments to significantly reduce workloads.
WebAuthn introduces simple, flexible integration options. WebAuthn offers strong single-factor, two-factor, or multi-factor authentication options. This expanded range of authentication flow choices allow developers to select the best web authentication model for their customers, security needs, and use cases.
Does Yubico Support WebAuthn?
Yes! Today, it can be a challenge for a developer to integrate WebAuthn into their identity provider. Specifically, it can be difficult to find code examples and documentation that explain:
- How to adopt web authentication and migrate users away from passwords
- WebAuthn credential management
- Web authentication lifecycle best practices
The Yubico WebAuthn Starter Kit helps address the pain points associated with the transition away from passwords by using a dynamic flow centered on the user’s identity. In an identifier-first flow, a user is automatically guided down the login path enabled by the authenticators they have registered with their account (YubiKeys or built-in biometric sensors for example) using a password only if the authenticator does not support multi-factor, or is not supported by the client (i.e. browser or operating system) they are authenticating with. Validating that the authenticator’s user verification flag matches the expected value on the server-side is a crucial element of the identifier-first flow guidance.
The Kit provides a reference architecture that demonstrates the concepts in a practical deployment. The ultimate goal is to provide interested developers with an environment they can stand up for their own use, and is designed to resemble authentication frameworks that are in use today, but with WebAuthn incorporated as a cornerstone of a passwordless experience versus a standard two-factor authentication flow.
Yubico leverages the AWS Serverless Application Model to act as a uniform framework for users to deploy personal instances of the Yubico WebAuthn Starter Kit to review. Additionally, a script automating the deployment is also included, streamlining the deployment process and ensuring uniformity. A free AWS account is sufficient for anyone looking to deploy the WebAuthn Starter Kit.
In addition to a backend server hosted on AWS, the Yubico WebAuthn Starter Kit also provides a sample web client as part of a standard deployment, allowing interested parties to share the WebAuthn experience with others in their organization.
Passwords are universal, but insecure and easily hacked. And although they’re easy to set up, they also deliver a sub-optimal user experience, forcing users to remember and change passwords forever thereafter to retain any resemblance of protection against hacking. WebAuthn offers a secure global standard for passwordless authentication that enables a secure and consistent user experience across devices—all while maintaining a similar user flow.
The Yubico WebAuthn Starter Kit and associated documentation was created with technical audiences in mind. The goal is to address the practical implementation and code-specific questions, as well as provide more theoretical web authentication best practices and integration-related advice.
Find out more about Yubico and WebAuthn here.