WebAuthn (Web Authentication)

If you spend a lot of time on the internet, you’ll no doubt have countless passwords and usernames. Social media, e-commerce, and email accounts: Everything needs its own password. In the future, however, surfing the internet could be much more convenient for users – at least if the World Wide Web Consortium (W3C) has something to do with it. The new WebAuthn standard is designed to eliminate the need for remembering passwords, but without compromising the security of sensitive data.

In the past, the only way to confirm your identity on the internet was by using a combination of your username and password. With user names (in some cases an email address is used instead), a user specifies which account they want to access. A password that only the user knows is then used to confirm their identity.

This procedure has proven to not be very efficient in the past: Since it is very cumbersome, users tend to simplify it on their own by using easy-to-remember character combinations – which can be cracked quickly – or they the same password for every account. To counter this, password managers and multi-factor authentication (MFA) were introduced. But many users don’t take advantage of these measures.

The World Wide Web Consortium (an association of IT companies that regularly publishes standards for the web) realised this and began looking for a solution. Together with the FIDO Alliance (a cooperation of different companies for uniform authentication measures) several measures were developed for the FIDO2 project: In addition to the FIDO Client to Authenticator Protocol (CTAP), a new standard now exists: WebAuthn.

WebAuthn (or Web Authentication) is a uniform authentication option that no longer relies on passwords, but rather on biometric data. Users are able to log into their accounts using fingerprints or facial recognition. Today, many devices (especially smartphones and laptops) are already equipped with the corresponding hardware and software, which makes it a lot easier for users. Alternatively, a hardware token can be used to identify the user. Since users always carry this information with them, they can neither forget it nor pass it on without thinking: With WebAuthn, phishing could be a thing of the past.

WebAuthn will work with any browser. Chrome, Firefox, Safari (partially), and Edge already support the standard. Websites that want to verify the identity of users for log-in purposes access the Web Authentication API in the browser. The respective user only confirms their identity on their own device. For example, by using a fingerprint scanner or connecting their token to a laptop or PC. The sensitive identity data (e.g. the fingerprint) does not leave the device. Only a confirmation from the browser is sent to the web service via public key procedure. The user does not have to enter a password or a user name.

The interface is addressed via JavaScript. This makes it very easy for website operators to implement Web Authentication, and should therefore allow it to be distributed rapidly. If the web service provider wants even more security for its service, WebAuthn and MFA can also be used together. In addition to authentication using biometric data, you can set it so that a password is also required.

Moreover, since users no longer need to create passwords and user names, there is no risk of using the same data for different accounts. The standard ensures that unique login information is available for each user’s account. You only have to register your authenticator (fingerprint, token, etc.) once with the web service and can then use the convenient log-in.

In contrast to older measures that used a password, WebAuthn offers several advantages for users and website operators alike. The convenience and ease should be enough to entice users: the fact that there is no need to memorise information anymore. This is great news in terms of security: The use of passwords is, after all, only conditionally secure. Either they can be cracked (with brute force or rainbow tables, for example) or the passwords are obtained through phishing. With WebAuthn, there is no way that a password can be passed on by accident.

Since the new standard does not transmit identity data over the internet, a man-in-the-middle attack, in which data is tapped during transmission, won’t be successful. In addition, the authenticity certificate is cryptographically secured by the public key procedure during transfer.

The fact that all sensitive data remains on the user’s device is also an advantage for website operators. Providers of services that require registration currently need to invest a lot of energy and expertise into securing passwords and user names. There could be catastrophic consequences if criminals manage to infiltrate the provider’s databases. Companies that are unable to prevent attacks like these face serious consequences, as well as causing suffering to their users due to this significant data misuse – especially if they use the credentials on other platforms.

WebAuthn is also considered more secure than multi-factor authentication. Although the additional identity feature, which is queried when logging in via MFA, offers additional protection, this doesn’t come without risk. Some authentication features – such as a one-time password via SMS – can be intercepted relatively easily. In addition, these short-term passwords have also become popular targets for phishing attacks. In addition: MFA is a relatively time-consuming process. WebAuthn works faster and is therefore more user-friendly.

However, there are disadvantages if a new authenticator has to be registered for an existing account. For example, if the hardware token is lost, you need a new one. This new token isn’t so easy to link to the existing profile since it would be too great a security risk. Instead, you must either have a replacement authenticator that is intended exactly for this use, or you must reset it. The latter is similar to resetting a password and is best suited to services that do not require a high security standard.