WebAuthn is a web standard for secure, passwordless authentication allowing web servers to authenticate users with asymmetric cryptography instead of passwords. Users can use their own devices, like security keys or smartphones, to authenticate themselves to a website. By eliminating passwords altogether, WebAuthn provides a more secure and convenient way for users to access their personal information and accounts online.
WebAuthn, or Web Authentication API, is a standard developed by W3C and FIDO, launched in 2018, and became the official web standard in 2019 for passwordless logins, supported by Chrome, Firefox, Safari, Microsoft Edge, Windows 10 and Google Android.
WebAuthn is very secure in that it uses public key cryptography ensuring that only a user’s device can authenticate that user to a website and that the keys involved are specific to that origin or domain. This removes the many risks that revolve around passwords and the broader danger of phishing attacks. In addition, the fact that users no longer need to remember or maintain complex passwords make WebAuthn very convenient as they can simply use their device to authenticate. And as a bonus, WebAuthn is considered multifactor in itself because it’s something you have (their device) with something you are (biometric).
WebAuthn utilizes asymmetric, public key cryptography. This means upon initial registration two keys are created:
The public key can be decrypted only with the private key, and the public key alone cannot mathematically reveal the private key in any way.
Now there are three key terms that must be defined to understand how the WebAuthn flow works:
Let’s imagine that a user named Alice wants to sign up for online banking with a new bank that supports WebAuthn. Here’s what the registration flow would look like using our key terms above:
Going forward when Alice logs in, instead of a create request, a get request will be sent to the client, and instead of the authenticator creating unique keys, the authenticator sends a response signed with the private key, and the relying party will verify.
While the WebAuthn standard is fairly easy to implement given its well-defined API, it has not taken off as fast with developers and major applications. In addition, when it is utilized, it’s often not as intended in its full potential, but merely as a multifactor add-on. With support for Passkeys (which use the WebAuthn API) in the rollout of iOS16, Ventura, and Windows 11, we look to see more adoption this year. Teleport is ahead of the curve already as WebAuthn was added in Teleport 10 with Passkey support now in place. You can try it for free today.