Auth & identity
March 16, 2022
Author: Julianna Lamb
We’ve said it before and we’ll say it again, WebAuthn is one of the most exciting passwordless technologies available for both engineers and for users. In our latest post, we go a level deeper on WebAuthn to share what it is, why it’s so exciting, and what are considerations for implementing it.
The Web Authentication API (WebAuthn) is a specification that allows web applications on supported browsers to authenticate a user via authenticator types such as built-in device biometrics (e.g. facial recognition on mobile and fingerprint readers on desktop) or secure hardware keys (e.g. YubiKeys).
To understand WebAuthn, we need to understand its relationship with MFA and U2F.
WebAuthn allows MFA and U2F protocols to be easily integrated into web-based services or applications. By streamlining the integration process and creating an open standard for engineers to build on, WebAuthn makes secure passwordless authentication accessible and compatible with a variety of authentication factors.
WebAuthn uses public-key cryptography to authenticate users and protect against even the most serious cyber attacks. Public key cryptography is an encryption scheme built around the relationship between two unique keys—a public key and a private key. These keys play an important role in securing data, with the public key being used to encrypt the data and the private key being used to decrypt it. This is why public-key cryptography is sometimes referred to as asymmetric cryptography—as opposed to symmetric cryptography, which uses one key for both decryption and encryption.
The public key is stored on the server, while the private key can be stored either on the local operating system or on a hardware security module like a USB or biometric scanner. When a user authenticates, the private key sends a message with a unique signature to the public key, which then decrypts access to the server.
Using this scheme as its foundation, WebAuthn establishes a uniform interface for implementing passwordless authentication across web-based services. First published in 2016 by the World Wide Web Consortium (W3C), it has quickly become one of the fastest growing new standards for passwordless authentication.
The benefits of using WebAuthn for passwordless authentication are as follows:
WebAuthn enables you to support a multitude of hardware-based authentication factors to verify a user’s identity:
While WebAuthn has reduced friction when it comes to implementing passwordless authentication, it is not without its challenges. Browser support is a factor that should be taken into consideration when developing a WebAuthn app. Though WebAuthn supports Chrome, Windows 10, and Safari, support is not yet uniform in regard to feature parity.
While it’s early in adoption, WebAuthn continues to evolve. As it does, the number of supported browsers and devices that support it will continue to grow, providing companies and end users alike with unparalleled security and versatility.
While WebAuthn has many benefits, engineers and product teams need to understand the API to implement it securely. Stytch’s WebAuthn product simplifies the process by abstracting the implementation details of WebAuthn so that integration is as quick and secure as possible.
At Stytch, we know how important it is to find the right fit. That’s why our flexible APIs make it simple to use WebAuthn as a standalone authentication option or second factor to strengthen security.