The Web Authentication API (also known as WebAuthn) is a browser-based API, which makes it possible for web applications to use registered devices (phones, laptops, etc.) as authentication factors. It allows servers to register and authenticate users without a password. This both simplifies and secures the user authentication process and protects users from advanced phishing attacks.
WebAuthn is a joint initiative of the World Wide Web Consortium (W3C) and the FIDO Alliance in conjunction with Google, Mozilla, Microsoft, Yubico, et al. It is an open standard with a uniform interface that facilitates passwordless authentication to web-based services by relying on public key cryptography (PKC).
There are three main advantages to WebAuthn that affect multiple stakeholders, including customers, product owners, security teams, and support teams. WebAuthn:
WebAuthn is an API that facilitates strong authentication by applications for web services, etc. It relies on standard support already built into leading browsers and platforms. As a result, web services can easily offer users strong authentication using a range of authenticators, from security keys to built-in platform authenticators like biometric readers.
WebAuthn uses the Relying Party website, a WebAuthn client browser, and a FIDO2-compatible authenticator. FIDO2-compatible authenticators can either be FIDO U2F hardware tokens or software tokens (i.e. those stored on a smartphone), or a platform authenticator like the Android or Windows Hello operating systems.
Which Web Browsers Support WebAuthn?
WebAuthn is supported by most popular web browsers, including Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari and Opera. It is also supported by most mobile operating systems such as Android and iOS.
Is WebAuthn Secure?
WebAuthn offers very high security and is used by many large companies and organisations to protect user accounts. It is immune to phishing attacks as it uses a combination of public and private key pairs to prevent identity fraud. WebAuthn is also resistant to attacks such as replay attacks and man-in-the-middle attacks.
Why Is WebAuthn Better Than Passwords?
The advantages of WebAuthn are many. It offers higher security than traditional passwords, as it is harder to hack or forge. It is also more user-friendly as users no longer need to remember passwords, but can simply use a security key, fingerprint or facial recognition. In addition, it is interoperable and can be used on different devices and platforms.
How Does WebAuthn Prevent MITM Attacks?
By using public-key cryptography and cryptographic attestations generated by the security keys, WebAuthn can help prevent various types of attacks, including man-in-the-middle attacks.