Web Authentication: How Is Web API Basic Authentication Used?
Web authentication (also called WebAuthn or FIDO2.0) is an authentication standard that could make passwords obsolete. Instead of using letters and numbers to prove identity, users will offer a biometric key (like a fingerprint) or hardware (like a key from Yubikey).
For years, we've used passwords to gain access to websites and servers. When we want to log on, we tap out a username, and we add on a string of letters and numbers to prove that we are who we claim to be.
But the average office employee must remember up to 40 unique username/password combinations. That high demand leads to poor habits, such as repetition, that can torpedo your security efforts.
A Short History of WebAuthn
Passwords are catnip to hackers. With a bit of coding cleverness and luck, a hacker can either guess combinations or entice someone to disclose them. Verizon has said that more than 80 percent of hacking-related breaches are caused by compromised credentials. Something had to change.
Webmasters tried two-factor authentication methods. That involved:
- Registrations. A device like a phone was attached to the user's profile.
- Logins. A user entered a name and password.
- Requests. The server sent a request to the authorised device.
- Completion. The user followed the instructions on the device to enter the site.
If you've ever tried to log in and had to wait for a code to ping your phone, you've used two-factor authorisation. It seems efficient, but implementation was sporadic. Some websites wanted to put their own spin on the process, which frustrated users. And some came with poor experiences that people just didn't understand.
The World Wide Web Consortium (W3C) wanted something new and better to improve the user experience while protecting security. In 2019, the group released the Web Authentication API to do just that.
Since its release, WebAuthn has been widely accepted. Groups such as Fast Identity Online (FIDO) hopped on board, and that meant well-known companies like Amazon, Facebook, and Microsoft started experimenting with the technology too.
How Web Authentication Works
WebAuthn is an application programming interface, or API, that allows servers to register and recognise their users without the need for passwords. Many websites have forms that allow people to sign up and become members with unique usernames and passwords. WebAuthn will replace all of that.
Two main pieces are involved, which are:
- Registration. You must provide a username and some kind of credential. You'll give biometric data, like a photo of your face or an impression of your fingerprint, or you'll register a piece of hardware created by a third-party that you keep in your possession at all times.
- Authorisation. When your credentials are made and verified, they're stored in something called an authenticator that typically resides within your operating system.
To log into a website enabled with WebAuthn, a user must:
- Register. You'll follow a familiar process of choosing a unique username. But instead of choosing a password, you'll give biometric data or register a physical key.
- Repeat. Whenever you want to log into the site, you must offer your password and a verification of your registration details.
Complete this process, and you'll have something called a credential. It's a pair of keys (one public and one private) for the website. Your private key stays on your private device and nowhere else. Your public key sits on the server for storage.
You may not know what these keys look like or how they work. But they play a vital role in each login attempt.
When you're ready to log into the site once more, your device and the server move through a series of steps.
- Attempt: You enter your username or otherwise indicate that you'd like to gain access to the server. Your system sends along your credentials, including instructions about where your key is located.
- Contact: The browser connects with the authenticator to determine if you have all the right bits and should be allowed in.
- Approval: If you do have all the right pieces, the authenticator signs your login approval and sends it along.
- Server contact: The server looks over all of the information that is sent along, verifies it, and lets you in.
The use of public and private keys make WebAuthn incredibly secure. You don't need to remember anything at all, but you've created a unique us