What is WebAuthn?
The term WebAuthn stands for a standard published by the World Wide Web Consortium (W3C) for authenticating users on the Web. It is an important result of the FIDO2 project of the FIDO Alliance (Fast IDentity Online). The Alliance includes well-known companies such as Google, Amazon, Microsoft, and RSA.
With the help of the procedure, a user can be authenticated using the public key method and factors such as hardware tokens, biometric features, or smartphones. User names and passwords become superfluous.
To use the method, support for the WebAuthn API must be built into web browsers and web applications. Popular browsers such as Mozilla Firefox, Google Chrome, Apple Safari, or Microsoft Edge already support the procedure. Operating systems such as Windows and Android or web applications such as Dropbox have also integrated the authentication method.
Level 1 of the standard was published by the W3C in March 2019, and work is still underway on Level 2 of the specification. In order to drive the dissemination of the method, the FIDO Alliance provides tools and specifications that can be used to test the authentication.
The most important features of WebAuthn authentication
The most important features of the authentication method are briefly summarized as follows:
- There is a separate unique account for each web service
- The access factors never leave the user’s device
- Users can log in via biometric features such as fingerprints, with fido security tokens, or mobile devices
- No passwords are required to log in
- Integration on websites is possible by calling the web Authn API
How web Authn works
The authentication procedure is based on an older FIDO specification with the abbreviation UAF (Universal Authentication Factor). In contrast to UAF, browsers are also supported. When a web service is used for the first time, it offers the user the WebAuthn authentication method.
The user registers once with his identity, his local device, or the desired security factors for the web service. If his identity is linked to the service, he can then login without a user name and password. For example, after a prompt in the web browser, it is sufficient to connect the hardware token to the computer or scan the fingerprint on the computer. Each service to which a user logs on uses its own key pairs. Identical accounts at different services are excluded.
The advantages of the process
After initial registration, authentication is always the same and very easy to perform. By eliminating the need for login credentials, login is much more secure and misuse due to password theft is prevented. In addition, it is ensured that separate, unique access exists for each web service.
It is no longer possible to use the same login credentials to log in to different services. This prevents the tracking of users across different services. Sensitive data such as biometric information never leaves the user’s device. The authentication method is resistant to man-in-the-middle attacks and prevents password theft through phishing.