A Complete Guide to WebAuthn

WebAuthn is an innovative technique that allows you to log into a secure website without using your username and password. Instead, it employs fingerprint, face recognition, or a specific hardware token to let you access the website and its contents. The WebAuthn API was recently approved by the World Wide Web Consortium and it has already been adopted by many popular websites and internet browsers across the globe.

We live in a technologically advanced generation where data breaches have become a commonplace thing. More than a million user accounts have been hacked by cybercriminals in the past couple of years and the instances of cyberattacks are growing by the day. Experts say that one of the things that make data and website content vulnerable to cyberthreats is that most secure websites require their users to log in using their usernames and passwords each time they want to access their account. These credentials are stored within the website itself, which puts it at great risk in case of a data breach. The impact can be quite catastrophic when cybercriminals gain access to your personal information.

WebAuthn can help to escape this risk by eliminating the need for using a password. It works by creating a one-time authentication key every time you try to log in to the website. This way, it follows the safe practice of generating a unique password per website for each sign in, which is neither stored in the website nor required to be remembered for future logins.

How Does WebAuthn Work?

Generally, WebAuthn uses two types of authentication to grant access to a website – hardware security tokens and biometric verification. The use of biometrics is very common these days, and has been incorporated widely in smartphones and personal computers. It includes identifying the user via fingerprint or facial recognition through advanced sensors or depth camera. Hardware tokens are much different from using biometrics or passwords. They are designed as a smart key that you need to insert into your computer via the USB port to access the specific website and its contents.

While biometrics are more practical to use on mobile devices, such as laptops, tablets, smartphones, and wearable smart accessories, hardware security tokens are suitable for traditional computers that do not have the means to identify the fingerprint or face of the user. The only drawback of using a physical security key is that you can misplace it. In such a case, you would need to notify the website admin that you have lost the hardware token, so that they can deactivate the key and issue you a new one.

No matter which type of WebAuthn authentication the website is using, it would require the browser to prove your identity. Here, the browser would ask the device to provide that proof via the authenticator, which can be the device’s fingerprint sensor, camera, or a smart key. As the authenticator is trusted to supply the right information, there is no need to store the identification data on the website. In other words, the authenticator works like an intermediary that proves your identity to the website, so that you can access its content.

For instance, when you try to log in to a website, the browser would ask the authenticator to ask you to provide a proof of your identification, like your fingerprint. The authenticator would then confirm it and notify the browser, which would then pass the encrypted confirmation to the web server to let you sign in to your account. This way, WebAuthn not only encrypts the data with a secure public key but also makes sure that you communicate the private key that unlocks the account only with your personal device.

WebAuthn and Two-Factor Authentication

WebAuthn is essentially a one-factor authentication method. It is pretty straightforward, yet a robust way of identifying your credentials to access data on the internet. However, what if you passed out or were deep asleep? Could someone use your fingerprint to access your private account? This is a rare case, but it is possible to use your biometrics that way to gain access to your personal data. Similarly, someone can steal the hardware token and use it to download all your sensitive information from the website before you realize that the security key is missing.

Such risks can be quite real if biometrics or hardware token were the only way of proving your identity. Yet if WebAuthn worked in conjunction with two-factor authentication, no one in the world would be able to access your account without you approving it. The two-factor authentication method works by combining two different ways of accessing a website. It can be password and smart key, password and biometrics, or smart key and biometrics. However, this way of securing a website is still in its early stages and only a few of the financial establishments have adopted two-factor authentication along with WebAuthn.

The Scope of WebAuthn

WebAuthn is currently supported by all popular web browsers, such as Google Chrome, Microsoft Edge, Mozilla Firefox, and Apple Safari. It works well on Windows 10 and Android platforms, while other big names are testing the technology on their devices as well. Many websites have also adopted WebAuthn to secure the data of their users. However, it is still unclear how a website would redirect you to use your username and password to log in to the account in case the authenticator failed to recognize you. It may go beyond rewriting the website code to implement support for WebAuthn, which is why some websites are hesitant to move to the innovative approach.

Then there is the need for training as well. Websites implementing WebAuthn would have to educate their users on using the technology as well as how it benefits to secure their accounts. Besides, the website admin cannot force a user to buy the hardware security token – it must be the individual’s own decision to make use of the extra layer of security. Any added cost might be seen as unnecessary if the user does not have any sensitive data in the account. Yet again, as the World Wide Web Consortium has now approved WebAuthn, it might soon become a web standard to adopt the new technology, especially taking into consideration the growing number of cyberattacks.