How WebAuthn aims to solve the password problem

One of the most pervasive challenges in cybersecurity is the balancing act between protection and usability. Security measures have to prevent malicious actors from accessing essential systems and data but must not be a barrier to legitimate users.

While there is a pressing need to develop new security strategies to combat an evolving threat landscape, new measures invariably create more hoops for users to jump through. If users perceive a security measure as too onerous or complicated, they will often begin to find shortcuts or simply avoid it altogether whenever possible. Indeed, even the simple and familiar username/password authentication is commonly seen as a burden, particularly when users are tasked with devising and remembering passwords for multiple systems.

But with the establishment of the Web Authentication (WebAuthn) specification, the solution for this long-standing problem may finally be on the horizon. Rather than tasking users with tracking dozens of separate passwords or requiring them to perform increasingly elaborate tasks to prove their identity, WebAuthn aims to create a standardized approach to authentication that will enable users to securely access web-based applications using their own unique authenticators (and without the additional need for a password). The dream of passwordless authentication is one that has been chased for a long time and it looks like the W3C-backed WebAuthn specification will finally help us to realize that goal.

What is WebAuthn?

WebAuthn is a standard for creating and accessing public key credentials on the web, to enable strong authentication of users. It is the result of a joint effort from the W3C, an international internet standards organization, and the FIDO Alliance, a federation of companies interested in improving identity-based security online. With WebAuthn, users can register and authenticate with web applications using devices such as phones, hardware security keys and laptops/desktops with built-in Trusted Platform Modules (TPM).

The device itself acts as the authenticator. This means a device can be used alongside other authentication factors to achieve multi-factor authentication (MFA), or in the case of devices with built-in biometrics or PIN entry mechanisms, can achieve MFA from a single gesture, increasing both security and ease-of-use. WebAuthn is additionally designed to be phishing-resistant, as credentials are “scoped” to the website where they were created, (e.g., example.com), and won’t work if users are tricked into authenticating on a phishing site (e.g., examp1e.com).

The W3C and FIDO Alliance have defined an API that enables developers implement WebAuthn for web applications. Although it will likely still be some time before we see widespread implementation, the standard has so far received strong support from major players including Google, Microsoft, Mozilla and Visa. The colossal user base of these companies means it is only a matter of time before WebAuthn is established as a global web standard.

Why is WebAuthn a step forward?

WebAuthn boasts a number of properties that give it the potential to finally balance security and usability. One of the defining elements is the capability to deliver a high level of identity verification across multiple applications with very minimal burden to the user. Because the machine itself serves as an authenticator, any user armed with a device capable of handling biometrics or PIN entry can establish an extremely secure multi-factor authentication process without the need for any further steps. The widespread availability of devices capable of biometric modalities such as fingerprint, voice and facial recognition mean that the standard will be accessible by a huge user base, rather than only those willing to invest in expensive or specialized devices.

Aside from providing an easy process for end users, the fact that WebAuthn supports multiple authentication factors in a single gesture gives it an advantage over other authentication methods. The only way for an attacker to impersonate the user is for them to defeat the authenticator’s biometric or PIN entry mechanism, as well as have physical access to the device. While this is still possible, it now requires a highly targeted and planned attack with the kinds of skills and resources generally only seen at nation-state level.

By comparison, even less skilled attackers can circumvent most existing solutions armed with nothing more than a credential database or a well-crafted phishing email. Indeed, WebAuthn is also highly resilient against current phishing techniques, as the device will only complete the authentication process with the domain it was registered with and not an imposter site on a different domain.

WebAuthn also overcomes another common security weakness in the way data is held. With most existing authentication processes, we must trust the service provider to protect the user’s credentials. The weakness inherent in this arrangement has been made clear again and again in recent years – each service provider must keep a vast database of user details and passwords, and a single breach can leave tens of millions of individuals exposed. WebAuthn addresses this because the essential information is split in two. The service provider only needs to store the publicly available information about users, while the private elements – the private keys used for identity verification – are stored on the user’s device. This means that, in the event a service provider suffers a data breach, the attacker only gains access to the public part of the key and this alone cannot be used to impersonate the user.

The challenges ahead

Despite WebAuthn’s potential, there are two major challenges that must be overcome before we can say goodbye to passwords. The first issue is user education. The logistics behind biometrics are still poorly understood, and there is a common assumption that data will be transmitted in the same manner as a password, creating the opportunity for it to be stolen or misused by businesses. Service providers and the security industry must work together to educate users on the use of biometrics, including the fact that data is held and verified locally and never leaves their device.

The second challenge is adoption. Although the support of big names like Google and Microsoft is invaluable, individual service providers will still need to adopt WebAuthn for it to become a viable standard. The security industry can also play an important role in realizing the full potential for the standard by delivering the updated tools businesses need to incorporate WebAuthn into existing security policies and deliver a strong user experience. Once these two challenges have been overcome, WebAuthn has the potential for us to move beyond passwords for good, improving security and accessibility simultaneously.

To learn more about WebAuthn and how to replace or supplement password-based authentication on your own websites, please visit WebAuthn.guide.

Article contributor: James Barclay, Senior R&D Engineer, Duo Security.