WebAuthn: What you need to know about the future of the passwordless Web
While OS and browser makers now support the WebAuthn API, it's unclear when and how Web sites will begin implementing it.
By Mark Hachman
PCWorldMar 7, 2019 3:00 am PST
Image: KTSimage / Getty Images
WebAuthn is a new way of logging into websites that may finally free you from remembering passwords. Instead, you’ll use you: your fingerprint or face, or a hardware token.
The WebAuthn API is now an official standard, ratified by the World Wide Web Consortium (or W3C) on Monday. Fortunately, it’s already been built into many popular browsers as well as Windows 10. Now it’s up to the web itself to incorporate it. Here’s how it will work.
What makes WebAuthn better?
You may have heard of the Collections data breaches: millions of usernames and passwords, some linked to one another, and published to the web. In part, that’s because websites currently ask you to log in and store a username and password within the site itself. If that data leaks publicly, then bad actors can use that information to see whether you’ve used the passwords elsewhere. That can lead to a cascade effect, where hackers gain access to more and more of your personal information.
WebAuthn doesn’t ask for a password. In fact, because it creates a one-time authentication token each time you log in, it’s basically following the recommended security practice of creating a unique password for every website. And it does so without forcing you to remember a thing.
If you don’t need a password, what do you use instead?
WebAuthn supports two main categories of authentication: biometrics and hardware security tokens. You probably understand and already use biometrics such as fingerprint recognition via sensors in your smartphone or computer; or facial recognition, such as the depth camera that works with Windows Hello on your PC.
Hardware tokens are a little bit more obscure. The Yubico YubiKey is one popular example of a hardware token: Instead of using a password or biometrics, you simply put a Yubikey into a USB port on your PC. This is obviously handy for PCs that lack a depth camera. A YubiKey is essentially a complex password that you keep with you at all times. If you lose it, you’ll have to notify the site in question that you’ve lost it, deactivate that key, and then purchase and activate a new one.
How does WebAuthn work?
The Sophos Naked Security blog sums up the WebAuthn process rather neatly. If you log into a website that supports WebAuthn, that site challenges your browser to ask your PC (or smartphone) to prove that you are who you are. In this case, the browser asks your trusted authenticator to supply that proof. Your authenticator could be your phone’s fingerprint reader, Windows Hello, or a hardware token.
Because the authenticator itself is trusted, you don’t have to store fingerprint data or anything unique to you on the website—unlike the current way of doing things, where passwords are stored on the site. Basically, the authenticator is an intermediary: the good friend who can vouch for you when you meet somebody new, as an impeccable character reference.
When the website asks you to log in, the browser asks your authenticator to ask you to prove yourself by touching your fingerprint, for example. The authenticator then confirms that yep, you are who you say you are, and the browser passes that encrypted confirmation back to the web server.
There’s a bit more to it than just this, including the encryption of your data with a public key and a challenge signed with your private key that unlocks it. The idea, though, is that you’re communicating your “secret” (your fingerprint, face, or token) only within the secure confines of your PC.
Here’s another way to look at it: Let’s say your bank representative was driving to your house to drop off your cash, and you had to prove who you were. You could shout your personal information and password to the driver to verify your identity, and let the whole neighborhood listen in. But it’s far better to bring a trusted friend inside your home, prove that you are you, and then have that friend go outside and yell,”hey, everything’s cool!
Is there a WebAuthn demo?
There is a WebAuthn demo you can view. Although it’s quite slow and didn’t seem to actually create a public key, Webauthn.org shows you how it will work.
How does WebAuthn differ from two-factor authentication?
Essentially, WebAuthn is single-factor identification: a pretty ironclad way of identifying that you are you, but that’s all. If you passed out, could someone take your finger and authenticate yourself to your banking site? If that was the only way to verify your identity (i.e., no password), then yes, conceivably. Will WebAuthn work in conjunction with existing 2FA methods? That remains to be seen.
Two-factor authentication generally combines two of these three: something you know (a password) with something you have (a smartcard or token) or something you are—basically, you. In other words, your bank may still encourage you to use WebAuthn biometric identification with a password for even better security than what’s available today.
Now, it’s up to the websites themselves to begin implementing support for WebAuthn, which may go a bit beyond simply rewriting their code to accept WebAuthn logins. It’s not clear, for example, whether a website that relies on WebAuthn will need to “fall back” to a less secure password if Windows Hello can’t recognize you for some reason, or your fingerprint reader fails as well. Those sites will also have to educate users on the advantages of using WebAuthn, and alter their login pages and the like. Do they force customers with older PCs to buy a hardware token? Probably not, but those decisions have to be made.
What happened this week, though, was an important step forward. The W3C essentially legislates web standards. With WebAuthn in place, sites are now clear to make it a reality.