What is WebAuthn?
WebAuthn (Web Authentication API) is a global standard specification for secure authentication on the Web, formulated in 2018 by the World Wide Web Consortium (W3C).
This browser-based API allows user authentication on web applications through the creation of strong “credentials” and user-agent-mediated access to authenticators. This could be either in the form of hardware tokens (like U2F security keys) or in-built modules (biometric readers like Google Hello, Apple Touch ID) in the platform. Web Authn has garnered the support of all leading browsers like Chrome, Firefox, and Edge, and is compatible with all leading platforms.
How does WebAuthn Work?
With WebAuthn, a relying party (such as web service) can integrate a strong layer of authentication into applications with a choice of authenticators. It replaces the need for a password with the generation of a private-public key pair (credential) created for a website. While the private key is stored on the user’s device, the public key is generated randomly and shared with the server. The server then uses the public key to confirm the user’s identity.
The following steps are involved in WebAuthn:
- The user opens a website using their device
- On the request of the web service (replying party) through the Credential Manager API, the browser generates a new credential, specifying the user’s device capabilities.
- During the registration process, the user is offered multiple authentication options. This may vary from external authenticators to biometric authenticators like fingerprint analysis or facial recognition.
- Choosing any of the authenticators offered, the user completes the registration process.
- The authenticator generates a key pair (a public and a private key) – the public key is forwarded to the server, the private key is stored in the user’s device
Why use WebAuthn?
The public key and private key, both need to be used in conjunction. Therefore, by eliminating the need for a “secret” such as a password, WebAuthn drastically improves data security and prevents data breaches. Even if the public key is hacked, it will not function without the private key – which is stored in the user’s device – and becomes useless.
These are some of the scenarios in which WebAuthn can be useful:
- Setting up two-factor authentication (with or without passwords) that is resistant to friction and phishing
- Using biometric authorization that eliminates the need for passwords
- Recovering lost or stolen devices and bootstrapping of new devices
Find out how you can improve data security and prevent data breaches with Akku. Get in touch with us for a free demo today!