Web Authentication: How Is Web API Basic Authentication Used?
Web authentication (also called WebAuthn or FIDO2.0) is an authentication standard that could make passwords obsolete. Instead of using letters and numbers to prove identity, users will offer a biometric key (like a fingerprint) or hardware (like a key from Yubikey).
For years, we've used passwords to gain access to websites and servers. When we want to log on, we tap out a username, and we add on a string of letters and numbers to prove that we are who we claim to be.
But the average office employee must remember up to 40 unique username/password combinations. That high demand leads to poor habits, such as repetition, that can torpedo your security efforts.
A Short History of WebAuthn
Passwords are catnip to hackers. With a bit of coding cleverness and luck, a hacker can either guess combinations or entice someone to disclose them. Verizon has said that more than 80 per cent of hacking-related breaches are caused by compromised credentials. Something had to change.
Webmasters tried two-factor authentication methods. That involved:
- Registrations. A device like a phone was attached to the user's profile.
- Logins. A user entered a name and password.
- Requests. The server sent a request to the authorised device.
- Completion. The user followed the instructions on the device to enter the site.
If you've ever tried to log in and had to wait for a code to ping your phone, you've used two-factor authorisation. It seems efficient, but implementation was sporadic. Some websites wanted to put their own spin on the process, which frustrated users. And some came with poor experiences that people just didn't understand.
The World Wide Web Consortium (W3C) wanted something new and better to improve the user experience while protecting security. In 2019, the group released the Web Authentication API to do just that.