WebAuthn
Web Authentication is a web standard published by the World Wide Web Consortium.
It defines an API that websites use to authenticate with WebAuthn credentials and outlines what WebAuthn authenticators should do.
It solves many of the issues of traditional password-based authentication by verifying the user's identity with digital signatures.
Although WebAuthn is often touted as a complete replacement for passwords, most websites that implement it continue to use passwords in some capacity.
To use WebAuthn, users require a compatible authenticator. The standard does not specify how to store the keys required for signing, so a variety of authenticator types can be used. The most common authenticator type is a platform authenticator, which is built into the operating system of the device. Common platform authenticators include Android, Apple Keychain and Windows Hello. These make use of hardware security features, and often sync credentials between devices for ease-of-use. Another common authenticator type is a roaming authenticator, where a separate hardware device authenticates the user by connecting over USB, Bluetooth Low Energy, or near-field communications. Most smartphones can be used as roaming authenticators, and dedicated physical security keys are also used. WebAuthn is effectively backward compatible with FIDO Universal 2nd Factor as they both use the CTAP protocol. Password managers can also be used as an authenticator, often with cloud sync. Where credentials sync is not viable or possible, WebAuthn Hybrid Transport can be used to access credentials stored on another authenticator such as a smartphone.
Like legacy U2F, WebAuthn is resistant to phishing attacks as the authenticator only offers credentials that were registered on the same website. However, unlike U2F, WebAuthn can be implemented in a passwordless manner. Moreover, a roaming hardware authenticator resists malware, since the keys are stored on a separate device, which prevents the malware from accessing them directly.
The WebAuthn Level 1 and 2 standards were published as W3C Recommendations on 4 March 2019 and 8 April 2021 respectively. A Level 3 specification is currently a First Public Working Draft.
WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance.
Background
FIDO2 is the successor to FIDO Universal 2nd Factor. Whereas U2F only supports multi-factor mode, having been designed to strengthen existing username/password-based login flows, FIDO2 adds support for single-factor mode. In multi-factor mode, the authenticator is activated by a test of user presence, which usually consists of a simple button push; no password is required. In single-factor mode, the authenticator performs user verification. Depending on the authenticator capabilities, this can be:- something you know: a secret such as a PIN, passcode or swipe pattern
- something you are: a biometric such as fingerprint, face, iris or voice
A secret and biometric on the authenticator can be used together, similarly to how they would be used on a smartphone. For example, a fingerprint provides convenient access to user's smartphone, but occasionally fingerprint access fails, in which case user can use a PIN.
Reasons for its design and standardization
The W3C designed and standardized WebAuthn to solve or mitigate many issues that are inherent to traditional password-based authentication:- Secure credential generation and storage: WebAuthn generates unique credentials for each website using robust algorithms, storing them securely in trusted authenticators. This eliminates common vulnerabilities such as:
- * Weak passwords that can be easily brute-forced due to insufficient length.
- * Predictable passwords vulnerable to dictionary attacks.
- * Guessable passwords based on personal information.
- * Poor client-side password storage.
- * Password reuse across multiple websites, as WebAuthn credentials are specific to individual websites by design.
- * Inadequate server-mandated password requirements.
- * Restrictions preventing password manager auto-fill features.
- No server-side credential storage: The private part of a credential is never stored on a server, eliminating risks and vulnerabilities such as:
- * Insecure password storage in databases.
- * Database leaks exposing passwords.
- * Mandatory, ineffective periodic password changes.
- Unique credentials for each website: WebAuthn ensures credentials are unique per website, eliminating the following risks and vulnerabilities:
- * Credential stuffing attacks, where attackers use credentials from one data breach across multiple sites.
- * Phishing attacks, as credentials cannot be reused or misapplied to different websites.
Passkey branding
When Apple first introduced passkeys to the public in 2022, they emphasized their first-party platform integrations. This, combined with the lack of clear communication from other industry leaders, led some to speculate that passkeys were proprietary to Apple, which was not the case. As browsers and websites began to implement WebAuthn, the inconsistent feature-sets resulted in a variety of understandings of what exactly counted as a passkey. Some people assumed that a passkey required management by a platform authenticator, or needed synchronization using the cloud. A better definition is that a passkey is any WebAuthn credential managed by any WebAuthn authenticator. This definition covers most of what different vendors refer to and accept as passkeys.
Overview
Like its predecessor FIDO U2F, W3C Web Authentication involves a website, a web browser, and an authenticator:- The website is a conforming WebAuthn Relying Party
- The browser is a conforming WebAuthn Client
- The authenticator is a FIDO2 authenticator, that is, it is assumed compatible with the WebAuthn Client
Authentication
Authenticator is a multi-factor cryptographic authenticator that uses public-key cryptography to sign an authentication assertion targeted at the WebAuthn Relying Party. Assuming the authenticator uses either a facial recognition, fingerprint or PIN for user verification, the authenticator itself is something you have while the facial recognition and fingerprint are something you are and the PIN is something you know.To initiate the WebAuthn authentication flow, the WebAuthn Relying Party indicates its intentions to the WebAuthn Client via JavaScript. The WebAuthn Client communicates with the authenticator using a JavaScript API implemented in the browser. A roaming authenticator conforms to the FIDO Client to Authenticator Protocol, and connected over USB, Bluetooth Low Energy, or near-field communications.
WebAuthn does not strictly require a roaming hardware authenticator. Alternatively, a software authenticator or a platform authenticator may be used. Relevant examples of platform authenticators include Windows Hello and the Android operating system.
WebAuthn Hybrid Transport allows the WebAuthn Client to access credentials stored on another authenticator such as a smartphone, useful in certain situations where credential sync is not viable.
There is a lingering misunderstanding among users that biometric data is transmitted over the network in the same manner as passwords, which is not the case.
Registration
When the WebAuthn Relying Party receives the signed authentication assertion from the browser, the digital signature on the assertion is verified using a trusted public key for the user.To obtain a public key for the user, the WebAuthn Relying Party initiates a WebAuthn registration flow that is similar to the authentication flow illustrated above. The primary difference is that the authenticator now signs an attestation statement with its attestation private key. The signed attestation statement contains a copy of the public key that the WebAuthn Relying Party ultimately uses to verify a signed authentication assertion. The attestation certificate contains metadata describing the authenticator itself.
The digital signature on the attestation statement is verified with the trusted attestation public key for that particular model of authenticator. How the WebAuthn Relying Party obtains its store of trusted attestation public keys is unspecified. One option is to use the FIDO metadata service.
The attestation type specified in the JavaScript determines the trust model. For instance, an attestation type called self-attestation may be desired, for which the trust model is essentially trust on first use.
Support
The WebAuthn Level 1 standard was published as a W3C Recommendation by the Web Authentication Working Group on 4 March 2019. WebAuthn is supported by Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari and Opera.The desktop version of Google Chrome has supported WebAuthn since version 67. Firefox, which had not fully supported the previous FIDO U2F standard, included and enabled WebAuthn in Firefox version 60, released on 9 May 2018. An early Windows Insider release of Microsoft Edge implemented a version of WebAuthn that works with both Windows Hello as well as external security keys.
Existing FIDO U2F security keys are largely compatible with the WebAuthn standard, though WebAuthn added the ability to reference a unique per-account "user handle" identifier, which older authenticators are unable to store.
One of the first FIDO2-compatible authenticators was the second-generation Security Key by Yubico, announced on 10 April 2018. The first FIDO2-compatible authenticators with a display was Trezor Model T by SatoshiLabs, announced on 6 November 2019. Trezor Model T was also the first authenticator that allowed users to select which FIDO2 resident credential should be used directly on a device.
The first Security Level 2 certified FIDO2 key, called "Goldengate" was announced one year later by eWBM on 8 April 2019.
Dropbox announced support for WebAuthn logins on 8 May 2018.
Apple announced that Face ID or Touch ID could be used as a WebAuthn platform authenticator with Safari on 24 June 2020.
Several password managers such as Bitwarden and Dashlane supported WebAuthn.