What is WebAuthn?
In March 2019, the World Wide Web Consortium (W3C) announced that WebAuthn is now the official web standard for password-free login. With support from a broad set of applications (Microsoft Edge, Chrome, Firefox, Mobile), widespread adoption of WebAuthn is expected in coming years.
In this post, we will explore the shortcomings of current authentication methods, explore the benefits of WebAuthn, and dive into the most pertinent flows for WebAuthn.
Shortcomings of current Authentication Methods
Before we get into why WebAuthn was created and its diverse functionality, we first have to understand how authentication of users started, and the shortcomings of current methods.
We are all too familiar with using usernames and passwords as a method for authentication. Although this framework is ubiquitous and easy to understand for the common consumer, 1 in 5 Americans have experienced account takeovers (ATO) from password credentials. With the average end user having over 130 online accounts, businesses should look to mature their framework of user authentication for the material effect on their business.
The next iteration of credential authentication is 2FA, or two-factor authentication. But for customer accounts, popular, low assurance 2nd factors like SMS are well documented as being vulnerable to phishing attacks. With the fallibility of 2FA, WebAuthn provides a potential solution to advanced phishing attacks while simultaneously improving customer experience.
What is WebAuthn?
Meet the new global standard of web authentication. WebAuthn is a browser-based API that allows for web applications to simplify and secure user authentication by using registered devices (phones, laptops, etc) as factors. It uses public key cryptography to protect users from advanced phishing attacks.
The advantages of using WebAuthn can be categorized into 3 main buckets that impact multiple stakeholders, including customers, product owners, security teams, and support teams.
Let’s break down each of these.
Enhanced customer engagement
Customers - Frictionless login experience Since WebAuthn uses device-based authentication, the need for passwords is removed completely. For the customer, this means not having to remember your username and password when logging in, or requesting a one-time password for a step up second factor. The authentication flow is simplified for the end user to just using their registered device for authentication
Product owners - Time to Authentication, Time to market As mentioned before, WebAuthn removes the need for passwords. Product owners care about the use of their application, and removing any barriers to customers is usually their #1 goal. WebAuthn contributes to a frictionless login experience for these users.
In addition, since WebAuthn removes the need to think about any complex password settings, product owners can accelerate their time to market by avoiding the need to build complex architectures to manage and store passwords.
Strengthened security posture
Customers - Preservation of trust With the proliferation of data breaches, consumer trust is especially important to maintain. Customers are giving you their information, and they want to know their data is safe when sharing it. With WebAuthn, you are getting a much more secure authentication method that subverts the risks associated with passwords.
Security teams - Eliminate the inherent weakness of passwords WebAuthn does not rely on knowledge-based authentication such as usernames and passwords. This means that you are relying on registered devices that belong to the end user. The risk of spoofing authentication is lower because registered physical devices are harder to steal than passwords, making your security team happier.
Reduced organizational load to support applications
Support organization - Reduce support cycles for multiple factors A unique functionality of WebAuthn is using this standard as the primary method of logging in. By implementing WebAuthn, support cycles are eased, since the number of factors to enroll for will essentially reduce to just WebAuthn.
How does WebAuthn work?
So by now, you understand that WebAuthn’s main benefit is that it eliminates passwords. But how does this open standard go about doing this? WebAuthn has 3 main components that make all of these benefits possible: the authenticator, the browser, and the web server.
Authenticating users without a password is a 6 step process
Step 1: User goes to browser to initiate login
Step 2: Web server creates a unique challenge that is sent to the authenticator
Step 3: Authenticator receives challenge with domain name of challenge
Step 4: Authenticator receives biometric consent from user
Step 5: Authenticator generates cryptographic signature which is sent back to the web server
Step 6: Web server verifies signature to unique challenge to login user
For more on the technical specs, check out WebAuthn from W3C.
Moving towards Passwordless
To summarize, the world of authentication is shifting to passwordless. Account takeovers and limited user experience will be problems of the past as we improve the authentication experience through WebAuthn.
At Okta, we’re dedicated to developing secure, passwordless solutions to help our customers solve authentication challenges. We are committed to supporting authentication standards like WebAuthn that help ease the way for broader adoption of passwordless strategies. But we also recognize that the hard part for many organizations is securing the enrollment recovery phases and providing secure alternative authentication methods on non-supported devices.
To learn more about how Okta integrates with applications, download our free whitepaper on the subject.