WebAuthn (Web Au­then­tic­a­tion)

If you spend a lot of time on the internet, you’ll no doubt have countless passwords and usernames. Social media, e-commerce, and email accounts: Everything needs its own password. In the future, however, surfing the internet could be much more con­veni­ent for users – at least if the World Wide Web Con­sor­ti­um (W3C) has something to do with it. The new WebAuthn standard is designed to eliminate the need for re­mem­ber­ing passwords, but without com­prom­ising the security of sensitive data.

In the past, the only way to confirm your identity on the internet was by using a com­bin­a­tion of your username and password. With user names (in some cases an email address is used instead), a user specifies which account they want to access. A password that only the user knows is then used to confirm their identity.

This procedure has proven to not be very efficient in the past: Since it is very cum­ber­some, users tend to simplify it on their own by using easy-to-remember character com­bin­a­tions – which can be cracked quickly – or they the same password for every account. To counter this, password managers and multi-factor au­then­tic­a­tion (MFA) were in­tro­duced. But many users don’t take advantage of these measures.

The World Wide Web Con­sor­ti­um (an as­so­ci­ation of IT companies that regularly publishes standards for the web) realised this and began looking for a solution. Together with the FIDO Alliance (a co­oper­a­tion of different companies for uniform au­then­tic­a­tion measures) several measures were developed for the FIDO2 project: In addition to the FIDO Client to Au­then­tic­at­or Protocol (CTAP), a new standard now exists: WebAuthn.

WebAuthn (or Web Au­then­tic­a­tion) is a uniform au­then­tic­a­tion option that no longer relies on passwords, but rather on biometric data. Users are able to log into their accounts using fin­ger­prints or facial re­cog­ni­tion. Today, many devices (es­pe­cially smart­phones and laptops) are already equipped with the cor­res­pond­ing hardware and software, which makes it a lot easier for users. Al­tern­at­ively, a hardware token can be used to identify the user. Since users always carry this in­form­a­tion with them, they can neither forget it nor pass it on without thinking: With WebAuthn, phishing could be a thing of the past.

WebAuthn will work with any browser. Chrome, Firefox, Safari (partially), and Edge already support the standard. Websites that want to verify the identity of users for log-in purposes access the Web Au­then­tic­a­tion API in the browser. The re­spect­ive user only confirms their identity on their own device. For example, by using a fin­ger­print scanner or con­nect­ing their token to a laptop or PC. The sensitive identity data (e.g. the fin­ger­print) does not leave the device. Only a con­firm­a­tion from the browser is sent to the web service via public key procedure. The user does not have to enter a password or a user name.

The interface is addressed via JavaS­cript. This makes it very easy for website operators to implement Web Au­then­tic­a­tion, and should therefore allow it to be dis­trib­uted rapidly. If the web service provider wants even more security for its service, WebAuthn and MFA can also be used together. In addition to au­then­tic­a­tion using biometric data, you can set it so that a password is also required.

Moreover, since users no longer need to create passwords and user names, there is no risk of using the same data for different accounts. The standard ensures that unique login in­form­a­tion is available for each user’s account. You only have to register your au­then­tic­at­or (fin­ger­print, token, etc.) once with the web service and can then use the con­veni­ent log-in.

In contrast to older measures that used a password, WebAuthn offers several ad­vant­ages for users and website operators alike. The con­veni­ence and ease should be enough to entice users: the fact that there is no need to memorise in­form­a­tion anymore. This is great news in terms of security: The use of passwords is, after all, only con­di­tion­ally secure. Either they can be cracked (with brute force or rainbow tables, for example) or the passwords are obtained through phishing. With WebAuthn, there is no way that a password can be passed on by accident.

Since the new standard does not transmit identity data over the internet, a man-in-the-middle attack, in which data is tapped during trans­mis­sion, won’t be suc­cess­ful. In addition, the au­then­ti­city cer­ti­fic­ate is cryp­to­graph­ic­ally secured by the public key procedure during transfer.

The fact that all sensitive data remains on the user’s device is also an advantage for website operators. Providers of services that require re­gis­tra­tion currently need to invest a lot of energy and expertise into securing passwords and user names. There could be cata­stroph­ic con­sequences if criminals manage to in­filt­rate the provider’s databases. Companies that are unable to prevent attacks like these face serious con­sequences, as well as causing suffering to their users due to this sig­ni­fic­ant data misuse – es­pe­cially if they use the cre­den­tials on other platforms.

WebAuthn is also con­sidered more secure than multi-factor au­then­tic­a­tion. Although the ad­di­tion­al identity feature, which is queried when logging in via MFA, offers ad­di­tion­al pro­tec­tion, this doesn’t come without risk. Some au­then­tic­a­tion features – such as a one-time password via SMS – can be in­ter­cep­ted re­l­at­ively easily. In addition, these short-term passwords have also become popular targets for phishing attacks. In addition: MFA is a re­l­at­ively time-consuming process. WebAuthn works faster and is therefore more user-friendly.

However, there are dis­ad­vant­ages if a new au­then­tic­at­or has to be re­gistered for an existing account. For example, if the hardware token is lost, you need a new one. This new token isn’t so easy to link to the existing profile since it would be too great a security risk. Instead, you must either have a re­place­ment au­then­tic­at­or that is intended exactly for this use, or you must reset it. The latter is similar to resetting a password and is best suited to services that do not require a high security standard.