Defining web authentication (WebAuthn)

Web Authentication, or WebAuthn, is a security standard that enables secure, passwordless authentication on the web. Developed by the FIDO Alliance, it outlines a way for websites to authenticate users using asymmetric cryptography instead of passwords.

In today’s cyber-vulnerable world, the need for robust authentication methods has become more critical than ever before. With the prevalence of online services and the constant threat of data breaches, traditional password-based methods are no longer adequate.

These methods are not only vulnerable to attacks, but also burden users with the inconvenience of juggling multiple passwords. Even when supplemented with multi-factor authentication (MFA), they are susceptible to various attack vectors, like phishing and man-in-the-middle attacks.

This is where WebAuthn comes in. It represents a modern approach where users don’t have to remember passwords or check their mobile phones for authentication codes. Instead, they can seamlessly access websites and online services by using more convenient authentication methods, such as biometrics (facial or fingerprint recognition) or hardware security keys.

By prioritizing both security and user convenience, WebAuthn is emerging as a powerful authentication standard. It’s already supported by several online platforms and browsers, including Firefox, Google Chrome, Safari and Microsoft Edge.

WebAuthn leverages the power of public and private keys to enable secure authentication. Let’s explore the steps involved in a typical WebAuthn-powered login:

1. The user visits a website that supports WebAuthn.
2. For a new user, the website generates a new cryptographic key pair. The private key is stored on the user’s device, while the public key is registered with the website. For existing users, this step is skipped.
3. The website generates and sends a random challenge to the user’s device.
4. The device uses the private key to sign the challenge and sends it back to the website.
5. The website uses the registered public key to verify the digital signature.
6. If the signature verification is successful, the user is logged in to the website.

Some WebAuthn implementations may also incorporate MFA. In such cases, users may be prompted to offer additional proofs of identity, like facial or retina scans, or hardware tokens, before they are granted access.

WebAuthn is an integral part of the FIDO2 standard, which includes guidelines for building secure-yet-convenient login experiences. FIDO2 WebAuthn is simply another name for the WebAuthn specification.

After releasing the specifications for FIDO UAF and FIDO U2F, the FIDO Alliance collaborated with the World-Wide Consortium (W3C) to standardize FIDO authentication across web platforms. This collaboration led to the development of a web-based API, known as WebAuthn. The WebAuthn API enabled developers to integrate FIDO authentication directly into browsers, platforms and websites.

The other component of the FIDO standard is the Client to Authenticator Protocol (CTAP). CTAP is used for secure information exchange between WebAuthn-supported browsers and external authentication devices, like a security key or a biometric sensor.

W3C’s API specification for WebAuthn has all the details you need to get started with web authentication. Here is a high-level overview of the implementation process:

The first step is to set up a server-side application to handle WebAuthn requests. You’ll need to expose certain APIs that will be hit by the client-side application running on the browser, as well as implement the logic for user registration, authentication and secure data transit.

The registration logic includes storing public keys in a dedicated credential vault. When a user attempts to log in, the server would retrieve their corresponding public key from the vault and use it to verify their digital signature.

For secure data transit during authentication, it is recommended to use secure transmission protocols like HTTPS. HTTPS establishes an encrypted channel between the client and server, which ensures that transmitted data is kept confidential.

The second step involves integrating the WebAuthn API into your client-side application. You’ll need to create intuitive user interfaces, which make the process clear and convenient for the users. Once the interfaces are ready, you can connect them to your server.

During user registration, the client-side application should generate a pair of public and private keys. The public key should be sent to the server. The private key should be stored locally on the user's device, ensuring that it remains solely under the user's control.

No, WebAuthn and OAuth are different protocols that cater to specific use-cases. WebAuthn is a modern authentication framework that standardizes and simplifies passwordless authentication. OAuth is predominantly an authorization standard used for access delegation.

WebAuthn uses public-key cryptography to verify user identity during a login. It is a more secure authentication method, because unlike passwords, private keys are harder to phish and virtually impossible to guess.

OAuth enables third-party applications to access sensitive resources, on behalf of users, without exposing their credentials. It promotes transparency by clearly informing users about the specific permissions requested by third-party applications.