What Is WebAuthn and How Does It Work?

WebAuthn is a browser-based API used by web applications to facilitate the use of registered devices (phones, laptops, etc.) as authentication factors. Using WebAuthn eliminates the need for passwords.


WebAuthn (Web Authentication)

The Web Authentication API (also known as WebAuthn) is a browser-based API, which makes it possible for web applications to use registered devices (phones, laptops, etc.) as authentication factors.  It allows servers to register and authenticate users without a password. This both simplifies and secures the user authentication process and protects users from advanced phishing attacks.

WebAuthn is a joint initiative of the World Wide Web Consortium (W3C) and the FIDO Alliance in conjunction with Google, Mozilla, Microsoft, Yubico, et al. It is an open standard with a uniform interface that facilitates passwordless authentication to web-based services by relying on public key cryptography (PKC).

WebAuthn is a JavaScript API specification that allows applications to perform secure authentication in both multi-factor and single-factor situations. The API, which is exposed by a compliant browser, makes it possible for applications to communicate with authenticators like key fobs or fingerprint scanners.

Benefits of WebAuthn

There are three main advantages to WebAuthn that affect multiple stakeholders, including customers, product owners, security teams, and support teams. WebAuthn:

  • Enhances customer engagement by providing a frictionless login experience: Thanks to its reliance on device-based authentication, WebAuthn eliminates the need for passwords. This means customers no longer have to remember usernames and complicated passwords to log in or request a one-time password as a second authentication factor. End users can simply use their registered device for authentication.
  • Accelerate the time to authentication / time to market for product owners: WebAuthn eliminates the need for passwords. This is appealing to product owners who want to remove any barriers to customers  and facilitate the usage of their apps and services. WebAuthn helps create a seamless login experience. Since there’s no need to consider complex password settings when using WebAuthn (i.e. no need to build complex architectures to manage and store passwords), product owners can accelerate their time to market.
  • Strengthens a company’s security stance and boosts customer trust:  Consumer trust is especially pivotal in the face of increasing data breaches. When customers provide their information and data, they want to know it is safe. WebAuthn provides  a much more secure authentication method and mitigates the risks associated with passwords.
  • Eliminates the need for security teams to deal with the inherent problems of passwords: Since WebAuthn does not rely on knowledge-based authentication, like usernames and passwords, but rather on user-owned and registered devices, it is more difficult to subvert the authentication process. This is good news for security teams.
  • Reduces organizational load on support applications for multiple factors and adds backwards compatibility: When using WebAuthn as the primary login method, the number of authentication factors is essentially reduced to WebAuthn. This eases support cycles significantly. In addition, WebAuthn includes backwards compatibility. That means organizations do not have to immediately refresh already distributed tokens. FIDO U2F keys, like U2F supported YubiKeys, can function as second factors with web browsers supporting WebAuthn. As a result, organizations can enjoy slower and more structured migration.

How does WebAuthn work?

WebAuthn is an API that facilitates strong authentication by applications for web services, etc. It relies on standard support already built into leading browsers and platforms. As a result, web services can easily offer users strong authentication using a range of authenticators, from security keys to built-in platform authenticators like biometric readers.

WebAuthn uses the Relying Party website, a WebAuthn client browser, and a FIDO2-compatible authenticator. FIDO2-compatible authenticators can either be FIDO U2F hardware tokens or software tokens (i.e. those stored on a smartphone), or a platform authenticator like the Android or Windows Hello operating systems.

For FIDO2 authentication, the website prompts the browser using JavaScript. The browser then uses a JavaScript API inside the browser to communicate with the authenticator. The user then performs the necessary action on the authenticator (i.e. entering a PIN or providing a biometric feature). After the website receives the signed authentication from the browser, the digital signature is verified using the user’s trusted public key. The user is then granted access.


FAQ about WebAuthn

Which Web Browsers Support WebAuthn?

orange-plus orange-minus

WebAuthn is supported by most popular web browsers, including Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari and Opera. It is also supported by most mobile operating systems such as Android and iOS.

Is WebAuthn Secure?

orange-plus orange-minus

WebAuthn offers very high security and is used by many large companies and organisations to protect user accounts. It is immune to phishing attacks as it uses a combination of public and private key pairs to prevent identity fraud. WebAuthn is also resistant to attacks such as replay attacks and man-in-the-middle attacks.

Why Is WebAuthn Better Than Passwords?

orange-plus orange-minus

The advantages of WebAuthn are many. It offers higher security than traditional passwords, as it is harder to hack or forge. It is also more user-friendly as users no longer need to remember passwords but can simply use a security key, fingerprint or facial recognition. In addition, it is interoperable and can be used on different devices and platforms.

Why you should also prefer to use passwordless authentication. 

How Does WebAuthn Prevent MITM Attacks?

orange-plus orange-minus

By using public-key cryptography and cryptographic attestations generated by the security keys, WebAuthn can help prevent various types of attacks, including man-in-the-middle attacks.

Here in the blog, we have compiled further information on how to protect yourself against man-in-the-middle attacks.