The Dogfooding Chronicles: WebAuthN—The Path to Passwordless
In this edition of The Dogfooding Chronicles, we’re going to highlight an implementation we’re very excited about around here. Ever heard of WebAuthN? Read on to learn some tips and tricks we’ve learned in our WebAuthN enablement journey.
Setting the stage – what is WebAuthN?
Web Authentication API, aka WebAuthN, is one of the newest web standards, ratified in 2018. It’s been gaining popularity and adoption as popular browsers and operating systems have begun to support the new standard. This new specification, written by W3C and supported by the FIDO Alliance, was created to help standardize public-key authentication of users and businesses to services. The upshot? Organizations now have the option to use more secure authenticators like macOS TouchID, Windows Hello, Android Fingerprint, and security keys like Yubikey.
Looking towards a future free of passwords
Like most IT professionals, my extended family sees me as their personal tech support. I begrudgingly serve as their unpaid, on-call support person who helps with all technology problems. The most common issue? Passwords. For this reason alone, I look forward to a world without them. Infinitely better would be a world where all I, and all my family members, need to authenticate into a piece of technology, is ourselves.
We can all agree that WebAuthN is a more secure, convenient way to prove your identity, as it requires one of two things to authenticate: either a security key or a biometric identifier. Similar to Okta, the airline industry is shifting towards identity proofing as well, using biometric verification with companies like CLEAR. If you’ve got your boarding pass, your fingerprints, and/or your eyes with you, you’ll get through security in minutes, enjoying that nice, overpriced beer before your flight. (And long-time readers know how I feel about beer). Essentially, WebAuthN brings the clarity of a system like CLEAR to the workplace. Instead of employees wasting time on remembering, entering, or resetting their password, they can focus on productivity, collaboration, and execution.
A checklist to live by
- Fortify your policies
Imitation is the sincerest form of flattery—except when it comes to your online identity. Due to the increasing popularity of credential phishing, protecting your Okta org with Multifactor Authentication (MFA) policies has become a necessity. Without MFA policies, attackers with a valid user ID and password have unobstructed access to your data. The 2017 Verizon Data Breach Investigations Report cites 81% of attacks involved stolen credentials. The reason the Okta on Okta team loves WebAuthN is that it gives our users the flexibility to use a range of platform authenticators. This, coupled with our MFA policies, allows us to provide choice, while maintaining a strong security posture.
- Educate your employees
Believe me when I say, it pays to ensure your employees understand how to enroll additional factors into their accounts. In the long run, doing so will save your IT team lots of time. A great time to show them? Their new hire onboarding orientation! Empowering your employees to help themselves saves everybody’s time and allows your IT Help Desk to work on higher value work to progress their careers. It’s a win-win!
- Understand that not all hardware is created equal
Like most companies, Okta IT has hardware refresh cycles, meaning that not all of our employees have one of those fancy Macbook Pros with the TouchID, or PCs with Windows Hello. In order to make sure everyone at Okta is able to experience the new WebAuthN functionality, we offer those employees Yubikeys. Security keys combine hardware-based authentication, public key cryptography, and U2F and FIDO2 support and are just as secure as biometric authenticators.
To recap, WebAuthN is a major element to taking your organization passwordless. Having strong authenticators like security keys and biometric factors do more than just protect your company data. They are incredibly convenient ways for your employees to authenticate. And don’t forget the essentials: 1) save your users a trip to the IT Help Desk by explaining how to enroll their WebAuthN factors on Day One and 2) consider the different devices in your corporate environment so no one gets left out—everyone can take advantage of this new and improved frictionless authentication method.
Still looking for more on WebAuthN? Check out our How WebAuthn Works whitepaper!
Missed a previous post? Don't ever skip a meal—read them all!