We have open-sourced Virtual WebAuthn, a set of Go helper tools that enable developers to test WebAuthn authentication flows without needing a browser or an actual authenticator. You can check out the GitHub repo here and let us know what you think. This blog will cover the basics of WebAuthn, why we felt something like Virtual WebAuthn was needed, and an overview of features.
For those who are unfamiliar with WebAuthn, this section will go through some fundamentals.
WebAuthn (the Web Authentication API) is an open standard that allows applications to register and authenticate users without needing passwords. By switching out knowledge-based authentication (passwords) with possession and biometric-based authentication (biometrics-enabled devices, hardware security keys), WebAuthn makes the user login journey more secure and convenient.
WebAuthn is one of the two core components of FIDO2 that enables websites to add passwordless authentication on supported browsers and platforms.
Since being announced in 2019, WebAuthn adoption has grown and it’s now supported on around 95% of global user devices. This is good news, because using WebAuthn has many benefits for users and app builders alike:
Better security: By using public-key cryptography (no shared secrets), WebAuthn removes the inherent weaknesses of passwords and makes it virtually impossible for attackers to phish a user’s credentials.
Better user experience: Rather than screaming to remember the most recent password they created (or going through laborious reset processes), users are able to log in to apps with a swipe of a finger or other similar low-friction methods. A better login experience improves user perception of the app they are accessing, leading to repeat visits and greater lifetime engagement.
Better interoperability: FIDO takes a standards and certification based approach, which safeguards authentication investments in the years to come and ensures that any FIDO authenticator works with any website / app.
Better privacy: Since WebAuthn uses public-key cryptography, any keys or biometrics information never leave the user’s device. Users also cannot be linked or tracked across two services or accounts using WebAuthn, since FIDO key pairs are unique for each application.
You can find a more detailed overview of WebAuthn in this article.
Introducing Virtual WebAuthn
Descope is still in stealth, so I cannot go into great detail about our service yet. But rest assured that, as a member of the FIDO Alliance, enabling app developers to use WebAuthn-based authentication is a big part of our plans.
We quickly discovered that there was no effective tool out there to validate and test WebAuthn authentication flows. That’s why we created Virtual WebAuthn – the tools were initially meant to help the Descope team quickly test both registration and authentication flows without needing a browser or authenticator. When we realized how helpful it was for us, we decided to open-source the tool for anyone else looking to integrate WebAuthn into their applications.
With Virtual WebAuthn, developers working on Go can:
Test both register/attestation and login/attestation flows
You can visit the repo here (we’d love to hear any feedback). Be sure to go through the Readme and check out a working example on how to use the library. We hope you find Virtual WebAuthn helpful while integrating FIDO-based authentication into your application!
If you want to engage with others going through the same authentication challenges that you are, we invite you to join AuthTown – our open user community for developers and product owners to come together and learn how authentication done right can be an enabler for any app.