We’ve said it before and we’ll say it again, WebAuthn is one of the most exciting passwordless technologies available for both engineers and for users. In our latest post, we go a level deeper on WebAuthn to share what it is, why it’s so exciting, and what are considerations for implementing it.
WebAuthn, MFA, and U2F
The Web Authentication API (WebAuthn) is a specification that allows web applications on supported browsers to authenticate a user via authenticator types such as built-in device biometrics (e.g. facial recognition on mobile and fingerprint readers on desktop) or secure hardware keys (e.g. YubiKeys).
To understand WebAuthn, we need to understand its relationship with MFA and U2F.
- Multi-factor authentication (MFA) is quickly becoming standard practice for security-minded organizations and individuals. It consists of multiple layers of security that range from one-time passcodes to voice authentication.
- Universal second-factor authentication (U2F) ties two-factor authentication to a physical component, verifying a user’s identity by leveraging a USB or NFC (near-field communication)-based piece of hardware that sends a unique private key to the server.
WebAuthn allows MFA and U2F protocols to be easily integrated into web-based services or applications. By streamlining the integration process and creating an open standard for engineers to build on, WebAuthn makes secure passwordless authentication accessible and compatible with a variety of authentication factors.
How WebAuthn works
WebAuthn uses public-key cryptography to authenticate users and protect against even the most serious cyber attacks. Public key cryptography is an encryption scheme built around the relationship between two unique keys—a public key and a private key. These keys play an important role in securing data, with the public key being used to encrypt the data and the private key being used to decrypt it. This is why public-key cryptography is sometimes referred to as asymmetric cryptography—as opposed to symmetric cryptography, which uses one key for both decryption and encryption.
The public key is stored on the server, while the private key can be stored either on the local operating system or on a hardware security module like a USB or biometric scanner. When a user authenticates, the private key sends a message with a unique signature to the public key, which then decrypts access to the server.
Using this scheme as its foundation, WebAuthn establishes a uniform interface for implementing passwordless authentication across web-based services. First published in 2016 by the World Wide Web Consortium (W3C), it has quickly become one of the fastest growing new standards for passwordless authentication.
The benefits of WebAuthn
The benefits of using WebAuthn for passwordless authentication are as follows:
- Reduced friction: integrating WebAuthn into your application means reduced friction for your users. It’s a seamless experience to authenticate with your registered device or hardware key.
- Enhanced security: based on public-key cryptography, WebAuthn’s reliance on hardware security modules or biometrics for passwordless authentication provides unparalleled security. With cyber attacks becoming more complex and data breaches becoming more frequent, WebAuthn is a trustworthy choice as an "unphishable” authentication factor.
WebAuthn-supported authentication factors
WebAuthn enables you to support a multitude of hardware-based authentication factors to verify a user’s identity:
- Biometrics: biometric authenticators are devices that use fingerprints or facial, voice, or retinal scans to authenticate users. These authenticators can be connected to a variety of devices via USB port, Bluetooth, or NFC technology. Connecting a biometric authenticator to a specific device ties it to that device's physical location or domain. To authenticate, a user needs to verify not only their biometrics but also their location, effectively preventing phishing scams.
- Device-based biometrics: many devices today, including most Macs, iPhones and Androids, support device-based biometrics such as FaceID, TouchID, or similar.
- Security keys: similar to biometric scanners, security keys can be connected either via USB port, Bluetooth, or NFC. Where biometric devices ascribe to the principle of “something you are,” security keys work off the “something you have” principle. Similarly, being tied to a physical location or device makes them an effective way to prevent phishing. They are also more widely supported than biometric scanners when it comes to U2F/WebAuthn-enabled applications.
- YubiKeys: while similar in functionality to a security key, a YubiKey comes with the added security measure of being able to store time-sensitive one-time passwords (OTPs). This means that on top of WebAuthn-powered U2F, YubiKeys have their own proprietary authentication method. When a YubiKey connects to a device, it generates an OTP with an individual timestamp to authenticate access.
Pros and cons of WebAuthn
While WebAuthn has reduced friction when it comes to implementing passwordless authentication, it is not without its challenges. Browser support is a factor that should be taken into consideration when developing a WebAuthn app. Though WebAuthn supports Chrome, Windows 10, and Safari, support is not yet uniform in regard to feature parity.
While it’s early in adoption, WebAuthn continues to evolve. As it does, the number of supported browsers and devices that support it will continue to grow, providing companies and end users alike with unparalleled security and versatility.
While WebAuthn has many benefits, engineers and product teams need to understand the API to implement it securely. Stytch's WebAuthn product simplifies the process by abstracting the implementation details of WebAuthn so that integration is as quick and secure as possible.
Find the right WebAuthn solutions with Stytch
At Stytch, we know how important it is to find the right fit. That’s why our flexible APIs make it simple to use WebAuthn as a standalone authentication option or second factor to strengthen security.
Share
