WebAuthn : Say Hello To a Password-Free Future!

Passwords have become major irritants both for users and for the security teams that have to support them. Remembering credentials for dozens of sites is difficult, so many people tend to reuse passwords on multiple sites, meaning that if a password is stolen or compromised in a data breach, many separate accounts could be jeopardized. There have been a number of different efforts to address this problem, from password managers to biometrics, but none has become the one overarching solution to the problem.

In an era of data breaches and dumps, it has become crucial to shift to a new paradigm that doesn’t depend on passwords for using internet services. To offer stronger authentication all over the web, the FIDO Alliance and the World Wide Web Consortium (W3C) are launching a new standard called Web Authentication -WebAuthn

[Mi Knowledge Hub #4] All About WebAuthn : Say Hello To a Password-Free Future!

What is WebAuthn?

WebAuthn is a process to define the standards of a Web API which can be incorporated in the browsers and web platform infrastructures to provide the new methods to securely authenticate the web with the help of browsers and devices. The Web Authentication (WebAuthn) standard is designed to replace the password with biometrics and devices that users already own, such as a security key, a smartphone, a fingerprint scanner or webcam. 

Instead of having to remember an increasingly long string of characters, users can authenticate their login with their body or something they have in their possession, communicating directly with the website via Bluetooth, USB or NFC.

[Mi Knowledge Hub #4] All About WebAuthn : Say Hello To a Password-Free Future!

“WebAuthn will change the way that people access the Web,” said Jeff Jaffe,  chief executive of the World Wide Web Consortium (W3C), the body that controls web standards.
How Will WebAuthn Work?WebAuthn is developed by W3C with the coordination with FIDO Alliance and it is a primary part of the FIDO 2 project along with the FIDO’s Client to Authenticator Protocol (CTAP) specification. CTAP functions when the external authenticator communicates with the user’s internet device. External authenticator like a mobile phone has to communicate using strong credentials locally with the user’s internet device. FIDO 2 project enables the users to authenticate online services with mobile devices or desktop with the enhanced phishing resistant security.

Instead of entering passwords, WebAuthn allows users to sign in using a fingerprint, retina scan, other biometric data stored in a smartphone, and even using a hardware key plugged into your laptop or a dedicated app. While it is already available to users, browser makers’ support will bring a major breakthrough, pushing for a password-free internet.

[Mi Knowledge Hub #4] All About WebAuthn : Say Hello To a Password-Free Future!

One example of how WebAuthn will work is that when a user visits a site they want to log into, they input a user name and then get an alert on their smartphone. Tapping on the alert on their phone then logs them into the website without the need for a password.
WebAuthn promises to protect users against phishing attacks and the use of stolen credentials as there will be nothing to steal, the authentication token is generated and used once by their specific device each time the user logs in.

WebAuthn should also help people use unique login details for each and every service they use, instead of using the same login and password for every site, which many people still do leaving them vulnerable to further attacks if one site is hacked.

[Mi Knowledge Hub #4] All About WebAuthn : Say Hello To a Password-Free Future!

“After years of increasingly severe data breaches and password credential theft, now is the time for service providers to end their dependency on vulnerable passwords and one-time-passcodes and adopt phishing-resistant FIDO Authentication for all websites and applications.”  says Brett McDowell, executive director of the FIDO Alliance.
Benefits Of WebAuthn

Simpler authentication: users simply log in with a single gesture using:
  • Internal or built-in authenticators (such as fingerprint or facial biometrics) in PCs, laptops and/or mobile devices
  • Convenient external authenticators, such as security keys and mobile devices, for device-to-device authentication using CTAP, a protocol for external authenticators developed by the FIDO Alliance that complements WebAuthn

Stronger authentication: FIDO Authentication is much stronger than relying only on passwords and related forms of authentication, and has these advantages:

  • User credentials and biometric templates never leave the user’s device and are never stored on servers
  • Accounts are protected from phishing, man-in-the-middle and replay attacks that use stolen passwords

Application of WebAuthn

Google, Mozilla, and Microsoft have started to support the WebAuthn standard in their browsers and have started implementation for the Windows, Linux, Chrome and Mac platforms. Both the CTAP and WebAuthn specifications are available today which will enable the developers to build the support for the next generation of FIDO authentication into their products.

[Mi Knowledge Hub #4] All About WebAuthn : Say Hello To a Password-Free Future!

Online services and enterprises who are looking to protect themselves and their customers which involves the risks related to the passwords which include phishing, stolen credentials, and several attacks can soon start using standard authentication process that will work through browser or external authenticator. So, deploying the FIDO Authenticator can enable the users to choose the users accessing through various devices.

The standards of the FIDO 2 project will reach out across the globe and many companies have taken an oath to start implementing the FIDO authenticator in their browsers and operating system. Simultaneously, FIDO will also launch the certificates to the servers and authenticators who are adhering to the FIDO standards.

[Mi Knowledge Hub #4] All About WebAuthn : Say Hello To a Password-Free Future!

Though this does not mean an immediate or even a near-future end of passwords, this is one of the first tangible steps towards an Internet standard being implemented for a future 

Source: 1