WebAuthn will help replace passwords! (part2)
Authentication is evolving and the Web Authentication (WebAuthn) has been approved this week has a W3C standard.
See my previous article, It's time to replace passwords! to get an overview of the key benefits of password-less authentication using enterprise-grade alternatives to passwords
What is W3C WebAuthn?
Web Authentication is a new JavaScript API that enables strong credential and multi-factor authentication in the browser.
The Web Authentication API (also referred to as WebAuthn) implements an extension of the W3C's more general Credential Management API. This API allows web applications to communicate with an authenticator through the browser using a JavaScript API.
Authenticators holds the credentials and can be protected with an additional second factor-like biometric verification or a PIN to be entered during registration or a web authentication (WebAuthn).
The WebAuthn specification defines an API enabling the creation and use of strong public key-based credentials by web applications, for strongly authenticating users. The Web Authentication API is very simple, and it supports two basic methods working only in secure context (HTTPS):
- Register the user with the navigator.credentials.create method
- Authenticate the user with the navigator.credentials.get method
What is FIDO2 CTAP2?
The Client to Authenticator Protocol 2 (CTAP2) is a specification part of the FIDO2 project describing how an external and portable FIDO2 authenticator can interact with a client.
CTAP2 is an application layer protocol used for communication between a client (browser) or a platform (operating system) and an external authenticator through three specific transports technology: USB, NFC and Bluetooth.
CTAP2 is used with WebAuthn and enables an external authenticator, such as a FIDO2 security key or a mobile phone, to communicate strong credentials to the user's device (computer or mobile phone) when signing in to a compatible Relying Party.
How Web Authentication works?
The principle behind FIDO2 & WebAuthn is to replace shared secrets, such as passwords, with public key cryptography.
The user holds a key pair unique to a website called a Relying Party. Upon the registration process, the user gives the website the public key. Then, whenever the user wants to log in, the user supplies the application with an assertion signed using his private key, which the application can then verify using the public key the user gave during registration, proving that the user is in possession of the associated private key.
WebAuthn is more secure than traditional authentication using passwords. If a group of attackers steals the credential database, they will just get the public keys, which are useless to attackers and long enough to resist brute force attacks. If attackers impersonate the website, then the authenticator will not authorize the use of the private key, thanks to the ability to bind credentials to a specific URL.
Further Reading
I hope to have another article available soon with some examples and technical details.
If you’re feeling excited about replacing passwords, I encourage you to read this new white paper to discover how Microsoft can help you to go beyond passwords. https://aka.ms/pwdless-whitepaper