Fundamentals by Nevis: What is WebAuthn

WebAuthn (Web Authentication)

The Web Authentication API (also known as WebAuthn) is a browser-based API, which makes it possible for web applications to use registered devices (phones, laptops, etc.) as authentication factors. It allows servers to register and authenticate users without a password. This both simplifies and secures the user authentication process and protects users from advanced phishing attacks.

WebAuthn is a joint initiative of the World Wide Web Consortium (W3C) and the FIDO Alliance in conjunction with Google, Mozilla, Microsoft, Yubico, et al. It is an open standard with a uniform interface that facilitates passwordless authentication to web-based services by relying on public key cryptography (PKC).

WebAuthn is a JavaScript API specification that allows applications to perform secure authentication in both multi-factor and single-factor situations. The API, which is exposed by a compliant browser, makes it possible for applications to communicate with authenticators like key fobs or fingerprint scanners.

Benefits of WebAuthn

There are three main advantages to WebAuthn that affect multiple stakeholders, including customers, product owners, security teams, and support teams. WebAuthn:

Enhances customer engagement by providing a frictionless login experience: Thanks to its reliance on device-based authentication, WebAuthn eliminates the need for passwords. This means customers no longer have to remember usernames and complicated passwords to log in or request a one-time password as a second authentication factor. End users can simply use their registered device for authentication.

Accelerate the time to authentication / time to market for product owners: WebAuthn eliminates the need for passwords. This is appealing to product owners who want to remove any barriers to customers and facilitate the usage of their apps and services. WebAuthn helps create a seamless login experience. Since there’s no need to consider complex password settings when using WebAuthn (i.e. no need to build complex architectures to manage and store passwords), product owners can accelerate their time to market.

Strengthens a company’s security stance and boosts customer trust: Consumer trust is especially pivotal in the face of increasing data breaches. When customers provide their information and data, they want to know it is safe. WebAuthn provides a much more secure authentication method and mitigates the risks associated with passwords.

Eliminates the need for security teams to deal with the inherent problems of passwords: Since WebAuthn does not rely on knowledge-based authentication, like usernames and passwords, but rather on user-owned and registered devices, it is more difficult to subvert the authentication process. This is good news for security teams.

Reduces organizational load on support applications for multiple factors and adds backwards compatibility: When using WebAuthn as the primary login method, the number of authentication factors is essentially reduced to WebAuthn. This eases support cycles significantly. In addition, WebAuthn includes backwards compatibility. That means organizations do not have to immediately refresh already distributed tokens. FIDO U2F keys, like U2F supported YubiKeys, can function as second factors with web browsers supporting WebAuthn. As a result, organizations can enjoy slower and more structured migration.

How does WebAuthn work?

WebAuthn is an API that facilitates strong authentication by applications for web services, etc. It relies on standard support already built into leading browsers and platforms. As a result, web services can easily offer users strong authentication using a range of authenticators, from security keys to built-in platform authenticators like biometric readers.

WebAuthn uses the Relying Party website, a WebAuthn client browser, and a FIDO2-compatible authenticator. FIDO2-compatible authenticators can either be FIDO U2F hardware tokens or software tokens (i.e. those stored on a smartphone), or a platform authenticator like the Android or Windows Hello operating systems.

For FIDO2 authentication, the website prompts the browser using JavaScript. The browser then uses a JavaScript API inside the browser to communicate with the authenticator. The user then performs the necessary action on the authenticator (i.e. entering a PIN or providing a biometric feature). After the website receives the signed authentication from the browser, the digital signature is verified using the user’s trusted public key. The user is then granted access.