WebAuthn - Web Authentication

An Overview of WebAuthn

Password-based authentication is both tiring and outdated for internet users because of the fact that hackers have attained mastery of hacking all sorts of passwords. (Forgetful nature of users is another problem, right?)

WebAuthn, an API-based authentication, allows users to get rid of password-based systems and still provides better protection. It permits the protection of the concerned account using the browser-supported API and public-key cryptography. 

Here is an easy-to-understand breakdown.

• Instead of conventional mechanisms, this method uses key-based authentication.
• Initially called Universal 2nd Factor (U2F), it’s an open standard crafted mainly by FIDO and W3C. Tech giants like Google and Microsoft also provided significant inputs in their version updates and revisions. 
• Organizations/users can use both types of keys (public and/or private) based on the requirement.
• It requires a form of interaction for authenticating and verifying a user’s identity. Mostly, hardware aids like fingerprint sensors or facial recognizers are incorporated to establish the interaction. At times YubiKey, a USB that users have to use for verifying their identity, is also used.
• Unlike OTP-based 2FA, its hardware-based authenticator is considered securer.  
• It’s compatible with all the leading browsers and OS like Edge, Chrome, Safari, Firefox, iOS, Windows 10, Android, and so on.  

‍

WebAuthn API History

The advanced and viable WebAuthn we get to see today is the result of years’ long updates and modifications. Its foundation dates back to 2014 when FIDO Alliance thought of taking password-based authentication to new highs.

This famous open industry organization that worked on UAF provided a secured authentication. However, the lack of browser-wide functionality and reference content on its implementation made its penetration very limited, and it made FIDO Alliance work on looking for browser-based authentication.

The update work continued, and the world had FIDO2 or Fast IDentity Online 2 as a UAF update by 2015. FIDO then joined hands with W3C to upgrade it further and make it an API-based authentication solution. Gradually, the project got support from Apple, Google, and Microsoft.

With their commendable efforts of them, WebAuthn API was stable enough to achieve Candidate Recommendation status in 2018. Since then, its penetration in cybersecurity is becoming deeper, and its user base is increasing.

‍

Goals of FIDO WebAuthn

Speaking of the objectives, it aims to simplify user authentication by offering password-free and flexible options. 

As managing passwords is a huge challenge, FIDO’s implementation provides a seamless and simplified user experience to people. It aims to proffer an authentication that works in any ecosystem, offers robust security, and has hassle-free implementation.

All in all, it inspires internet users to set free from the age-old practice of using weak, common, repeated, or even leaked that leads to an attack.

‍

How Does WebAuthn Work?

Knowing how it works is important for a better understanding of WebAuthn SSO. The bird's eye digest is as under.

• A user is asked to provide the related username to complete primary identification;
• Upon receiving the details, the browser will instruct the users to use the authenticator to complete the verification;
• When authenticator-side verification is successful, access is granted.

At a deeper level, a lot goes behind the wall. Let’s explain the process in detail.

Two key workflows are functioning here.

Registration Procedure

The workflow involves generating novel credentials against the provided username. This is the foundation of passwordless login that WebAuthn supports. Total of seven steps frames this process.

1. The intended user accesses the targeted website and clicks on the register button. It triggers the sending of a request to the related authn server instantly.
2. The server, upon receiving it, forwards the random dataset to the browser of the concerned user so that WebAuthn login can begin.
3. This data is then forwarded to the hardware-based authenticator tool.
4. The tool further instructs the concerned user to authenticate using acceptable means, including YubiKey, facial recognizer, and finger-print scanner.
5. Upon receiving the data, it will start generating a fresh pair of private & public keys. The dataset is signed using the primary one.
6. The signed output, public key, and process details are then sent to the server for verification.
7. Upon receiving these details, the server will verify the details and will store them for further usage.

The WebAuthn Authentication Procedure

The authentication workflow can be summarized as mentioned below.

• The user visits the targeted site or web app and prompts a login.
• The authentication server forwards the user’s request to the browser while instructing the person to validate his idenity via the preferred means.
• The server then forwards a random dataset or challenge to a hardware-based tool, i.e., authenticator. Users are required to provide the details like voice data, fingerprint, or input as the set criteria.
• Authenticator fetches this input and decodes the linked private key. It forwards the signature back to the authn server.
• If the provided signature is matched to the pre-based public key, you will get instant access to the website/app in question. Otherwise, the process fails, and an error message is displayed.

The Advantages of WebAuthn

Seeing the offerings, security experts have qualms to admit that WebAuth API is a modern and securer approach to online assets management. When implemented the right way, it brings a lot to the table.

1. Better security

As it uses an asymmetric cryptography key and combines hardware-based authenticator, account protection is better. Retrieving the API key is not easy and bypassing the security that authenticator tools offer needs physical access to them. Both these are not viable for remote hackers.

While threat actors can crack a password using social engineering, WebAuthn bypassing involves multiple stages that are not even viable at times. Hence, assets remain secure for a long.

2. Better phishing attack resistance

As the domain name of this authentication is saved on the hardware authenticator, not on the virtual server, it’s 100% resistant to phishing attacks. For beginners, phishing is a leading reason behind data theft, and its occurrence is on the rise. Controlling phishing attacks means keeping risks on the lower side.

3. No harm to sensitive data

The workflow only considers public data and saves it on the DB. Any PII or recorded biometric information is sent to the server. It’s saved on a cryptographic key for better data privacy.

4. Full control over user interaction

Users can decide which sort of authenticator tool to use and at which stage of the workflow.

5. Unmatched interoperability  

As it’s compatible with leading browsers and devices, users don’t have to be limited and get stuck with vendor lock-in.

6. Stress-free security

As there are no passwords to create and remember, internet users will have a better experience.

‍

Disadvantages of WebAuthn

Despite all these laudable pros, WebAuthn API is not flawless. It does have certain specific flaws, and their understanding is essential before its implementation. For instance:

• Its cross-device compatibility is not outstanding as users can’t transfer the credentials from one authenticator to another. For different authenticators, you will need to re-enter the credentials.
• The fallback possibility is high if the organizations misplace the authenticator or it gets corrupted. In this case, retrieving passwords is difficult, or a slight risk of credential theft.
• Its implementation is certainly a price-heavy process because buying an authenticator is involved. Also, it demands technical manpower to manage these tools that exert further expense load. Hence, it might not be an option for everyone.
• Managing password-based authentication rarely involves capital which makes it more famous. But, WebAuthn has a limited adoption rate for reasons like high expenses, more skills requirements, and maintenance efforts.
• Its implementation demands concerning organizations and users have great technical competence. Back-ups, maintenance, updates, and data restorations are a few areas where high-level technical expertise is necessitated.

‍

Wallarm API Security

While WebAuthn provides considerable security, it needs protection of its own. API-based attacks are on the rise, and a skilled hacker can reach the cryptography key behind the WebAuthn. If that happens, there is no one to rescue your digital resources.

Wallarm, with its modern end-to-end API security, resolves this concern greatly. With its multi-cloud compatible Advanced API Threat Detection, Cloud WAF, Active Response, and many other capabilities, it can protect all leading APIs, including cryptography key, from leading threats like DDoS attacks, bots, L7 attacks, API abuse, and OWASP Top 10.

The accuracy is dependable as the tools have fewer false positives and no unnecessary alerts.

‍

Conclusion

Are you still using passwords and expecting unbreakable security? Well, it’s time to rethink and start using WebAuthn.

While we live in a world of cyber vulnerabilities, we can’t afford an easy-to-decode password. WebAuthn is a cutting-edge authentication approach wherein there is no need to use traditional passwords and leave scope for an attack. WebAuthn provides better privacy, security, and protection with a cryptography key.