WebAuthn (Web Au­then­ti­ca­tion)

If you spend a lot of time on the internet, you’ll no doubt have countless passwords and usernames. Social media, e-commerce, and email accounts: Every­thing needs its own password. In the future, however, surfing the internet could be much more con­ve­nient for users – at least if the World Wide Web Con­sor­tium (W3C) has something to do with it. The new WebAuthn standard is designed to eliminate the need for re­mem­ber­ing passwords, but without com­pro­mis­ing the security of sensitive data.

In the past, the only way to confirm your identity on the internet was by using a com­bi­na­tion of your username and password. With user names (in some cases an email address is used instead), a user specifies which account they want to access. A password that only the user knows is then used to confirm their identity.

This procedure has proven to not be very efficient in the past: Since it is very cum­ber­some, users tend to simplify it on their own by using easy-to-remember character com­bi­na­tions – which can be cracked quickly – or they the same password for every account. To counter this, password managers and multi-factor au­then­ti­ca­tion (MFA) were in­tro­duced. But many users don’t take advantage of these measures.

The World Wide Web Con­sor­tium (an as­so­ci­a­tion of IT companies that regularly publishes standards for the web) realized this and began looking for a solution. Together with the FIDO Alliance (a co­op­er­a­tion of different companies for uniform au­then­ti­ca­tion measures) several measures were developed for the FIDO2 project: In addition to the FIDO Client to Au­then­ti­ca­tor Protocol (CTAP), a new standard now exists: WebAuthn.

WebAuthn (or Web Au­then­ti­ca­tion) is a uniform au­then­ti­ca­tion option that no longer relies on passwords, but rather on biometric data. Users are able to log into their accounts using fin­ger­prints or facial recog­ni­tion. Today, many devices (es­pe­cial­ly smart­phones and laptops) are already equipped with the cor­re­spond­ing hardware and software, which makes it a lot easier for users. Al­ter­na­tive­ly, a hardware token can be used to identify the user. Since users always carry this in­for­ma­tion with them, they can neither forget it nor pass it on without thinking: With WebAuthn, phishing could be a thing of the past.

WebAuthn will work with any browser. Chrome, Firefox, Safari (partially), and Edge already support the standard. Websites that want to verify the identity of users for log-in purposes access the Web Au­then­ti­ca­tion API in the browser. The re­spec­tive user only confirms their identity on their own device. For example, by using a fin­ger­print scanner or con­nect­ing their token to a laptop or PC. The sensitive identity data (e.g. the fin­ger­print) does not leave the device. Only a con­fir­ma­tion from the browser is sent to the web service via public key procedure. The user does not have to enter a password or a user name.

The interface is addressed via JavaScript. This makes it very easy for website operators to implement Web Au­then­ti­ca­tion, and should therefore allow it to be dis­trib­uted rapidly. If the web service provider wants even more security for its service, WebAuthn and MFA can also be used together. In addition to au­then­ti­ca­tion using biometric data, you can set it so that a password is also required.

Moreover, since users no longer need to create passwords and user names, there is no risk of using the same data for different accounts. The standard ensures that unique login in­for­ma­tion is available for each user’s account. You only have to register your au­then­ti­ca­tor (fin­ger­print, token, etc.) once with the web service and can then use the con­ve­nient log-in.

In contrast to older measures that used a password, WebAuthn offers several ad­van­tages for users and website operators alike. The con­ve­nience and ease should be enough to entice users: the fact that there is no need to memorize in­for­ma­tion anymore. This is great news in terms of security: The use of passwords is, after all, only con­di­tion­al­ly secure. Either they can be cracked (with brute force or rainbow tables, for example) or the passwords are obtained through phishing. With WebAuthn, there is no way that a password can be passed on by accident.

Since the new standard does not transmit identity data over the internet, a man-in-the-middle attack, in which data is tapped during trans­mis­sion, won’t be suc­cess­ful. In addition, the au­then­tic­i­ty cer­tifi­cate is cryp­to­graph­i­cal­ly secured by the public key procedure during transfer.

The fact that all sensitive data remains on the user’s device is also an advantage for website operators. Providers of services that require reg­is­tra­tion currently need to invest a lot of energy and expertise into securing passwords and user names. There could be cat­a­stroph­ic con­se­quences if criminals manage to in­fil­trate the provider’s databases. Companies that are unable to prevent attacks like these face serious con­se­quences, as well as causing suffering to their users due to this sig­nif­i­cant data misuse – es­pe­cial­ly if they use the cre­den­tials on other platforms.

WebAuthn is also con­sid­ered more secure than multi-factor au­then­ti­ca­tion. Although the ad­di­tion­al identity feature, which is queried when logging in via MFA, offers ad­di­tion­al pro­tec­tion, this doesn’t come without risk. Some au­then­ti­ca­tion features – such as a one-time password via SMS – can be in­ter­cept­ed rel­a­tive­ly easily. In addition, these short-term passwords have also become popular targets for phishing attacks. In addition: MFA is a rel­a­tive­ly time-consuming process. WebAuthn works faster and is therefore more user-friendly.

However, there are dis­ad­van­tages if a new au­then­ti­ca­tor has to be reg­is­tered for an existing account. For example, if the hardware token is lost, you need a new one. This new token isn’t so easy to link to the existing profile since it would be too great a security risk. Instead, you must either have a re­place­ment au­then­ti­ca­tor that is intended exactly for this use, or you must reset it. The latter is similar to resetting a password and is best suited to services that do not require a high security standard.