WebAuthn 101: How Web Authentication Works

WebAuthn 101: How Web Authentication Works

Share

March 2019 was a watershed moment in our online lives. The World Wide Web Consortium (W3C) and FIDO announced WebAuthn as the official web standard for password-free logins. In the few years since, most browsers and around 95% of global user devices support this authentication standard. 

Sure sounds like a big deal and worth knowing more about! This post will explain the basics of WebAuthn, how it works, and why it's a safer and more user-friendly alternative to passwords.

The world before WebAuthn

Before defining WebAuthn, it’s important to understand how most users are authenticated on the Internet today (and the challenges that come with it).

Passwords eat the world

When Fernando Corbató first presented the idea of passwords at MIT in 1960, he probably didn’t envisage them becoming the de-facto method to authenticate users around the world. Interestingly, the advent of passwords was partly a result of technological compromise – even though stronger authentication alternatives existed, storing passwords required far less memory for early computers.

Over the decades, password use has ballooned and has had two big ramifications: poor user experience and poor security.

Passwords cause friction throughout a user’s journey, from navigating complexity requirements during registration to trying to remember passwords during repeat visits and checkouts. This friction is worsened with people having more online accounts than ever – 90% of respondents from a LastPass survey cited that they had over 50 accounts. With so many passwords to remember, is it any surprise that people tend to reuse passwords across accounts because they’re afraid of forgetting them?

While passwords are intended to secure user accounts, the result is quite the opposite. According to the 2022 Verizon DBIR, 80% of basic web application attacks can be attributed to the use of stolen user credentials. Passwords are the biggest cause of account takeover, where cybercriminals gain access to legitimate accounts through credential stuffing and other brute force methods. Rather than being a secure padlock to keep bad folks out, passwords are an attractive honey pot that draws them in.

WebAuthn was born out of the following thesis: can we authenticate users without passwords while simultaneously improving both security and convenience?

WebAuthn defined

The Web Authentication API (WebAuthn) is an open standard that enables applications to register and authenticate users without needing passwords by using public-key cryptography. Rather than using knowledge-based authentication (i.e. passwords), WebAuthn allows for possession-based and biometric authentication (i.e. registered devices, hardware security keys) to make the user journey more secure and convenient.

The WebAuthn specification involved contributions from the W3C, FIDO, and industry heavyweights such as Apple, Google, IBM, Intel, Microsoft, and Mozilla.

To understand WebAuthn, let’s look at the basics of public-key cryptography.

No more shared secrets

Many password-borne security and business challenges happen because passwords are a shared secret between a client and a server. This means an attacker only needs a password to fully impersonate their victim. Public-key cryptography, on the other hand, uses a private-public keypair where:

  • The public key is used to encrypt the data, is stored on the server, and can be shared with everyone.

  • The private key is used to decrypt the data, is stored on a user's device, and is never shared with anyone.

This is also called asymmetric encryption since it uses two keys where each key is incomplete without the other. A good brick-and-mortar analogy is a personal physical mailbox with different keys to deposit and access mail, which this video explains in more detail.

The tenets of WebAuthn

Web authentication adheres to three key tenets that make it a safer alternative to passwords:

Strong

Web authentication is backed by Hardware Security Modules (HSMs) that can safely store private keys and reliably perform the needed cryptographic operations for WebAuthn. HSMs are tamper-resistant, which makes WebAuthn robust enough to resist cyberattacks.

Scoped

A keypair can be used only for the specific origin where it was created. A keypair registered at “descope[.]com” cannot be used by “pretendingtobedescope[.]com”. This reduces the threat of attackers creating fake phishing sites to steal credentials.

Attested

During keypair generation, servers have the option to request attestation in the form of a certificate from authenticators. This allows the server to verify that the public key came from a trusted authenticator.

Let’s dive into how WebAuthn works with examples for user registration and authentication.

How WebAuthn works

The main entities involved in a WebAuthn flow are:

  • The user: The person trying to register or authenticate to the application.

  • The user agent: Usually a web browser, this entity mediates all communication between the different entities involved in the flow.

  • The relying party: The web property (website, app) to which the user is trying to gain access.

  • The authenticator: A piece of hardware (e.g. phones, YubiKeys, device-based biometrics like Windows Hello and Apple Touch ID) that generates keypairs, signs digital certificates, and gets user authorization during the registration or login process.

Registration using WebAuthn

Here's an example of WebAuthn-based user registration on “bakedpotato[.]com”. This process is also known as the registration ceremony.

Fig: Steps involved in registration using WebAuthnFig: Steps involved in registration using WebAuthn

Step 1: The user clicks the “Register” button on “bakedpotato[.]com” on their web browser (user agent).

Step 2: The authenticating server for “bakedpotato[.]com” (relying party) issues a challenge to the user agent to enable WebAuthn login.

Step 3: The user agent sends the challenge to the authenticator along with a directive to create new credentials, since this is the first time the user is registering on “bakedpotato[.]com”.

Step 4: The authenticator prompts the user to authenticate themselves (e.g. using Touch ID on an Apple device, touching a YubiKey).

Step 5: Now that user authorization for the process is complete, the authenticator creates a new keypair (a public and private key) and uses the private key to sign the challenge issued by the relying party.

Step 6: The authenticator sends the signed challenge, the public key, and other associated details to the relying party via the user agent.

Step 7: The relying party uses the public key to validate that the challenge was signed by the corresponding private key (i.e. that the registration is legitimate).

Step 8: The user is successfully registered. The relying party stores the public key and other details against the respective username for future use.

Authentication using WebAuthn

Here’s what happens when the same user tries to log in to “bakedpotato[.]com” a few days after registration. This process is also known as the authentication ceremony.

Fig: Steps involved in authentication using WebAuthnFig: Steps involved in authentication using WebAuthn

Step 1: The user clicks the “Login” button on “bakedpotato[.]com” on their web browser (user agent) and enters their username.

Step 2: The authenticating server (relying party) issues a challenge to the user agent. It also sends along the private key ID that it stored during registration. 

Step 3: The user agent sends the challenge and private key ID to the authenticator.

Step 4: The authenticator prompts the user to authenticate themselves (e.g. using Touch ID on an Apple device, touching a YubiKey).

Step 5: Once user authorization is granted, the authenticator uses the provided private key ID to fetch the generated keypair. It then uses the private key to sign the challenge issued by the relying party in Step 2.

Step 6: The authenticator sends the signed challenge and other associated details to the relying party via the user agent.

Step 7: The relying party uses the saved public key to validate that the challenge was signed by the corresponding private key (i.e. that the authentication attempt is legitimate).  

Step 8: The user is successfully authenticated.

WebAuthn and FIDO2

WebAuthn is often used interchangeably with FIDO2. While they are very closely linked, they are not exactly the same.

FIDO2 is an open standard developed by the FIDO Alliance that enables users to log into applications without using passwords on both desktop and mobile environments. Instead of passwords, FIDO authentication uses registered devices or FIDO2 security keys to validate user identities. 

FIDO2 consists of two components: 

  • The Web Authentication API (WebAuthn), which enables applications to authenticate users with possession-based and biometric authentication.

  • The Client to Authenticator Protocol (CTAP), which enables the client to communicate with a roaming authenticator such as a hardware security key or a smartphone.

Fig: FIDO2 componentsFig: FIDO2 components

Essentially, WebAuthn is one of the two core components of FIDO2 that enables websites to add passwordless authentication on supported browsers and platforms. The other core component of FIDO2 – CTAP – is complementary to WebAuthn. CTAP governs the communication between the client and roaming / external authenticators like security keys or mobile phones.

WebAuthn benefits

Using WebAuthn has advantages for pretty much every stakeholder on the Internet except cybercriminals. 

Improved user experience and time-to-market

Since WebAuthn enables passwordless authentication, users get a frictionless login experience for apps without having to create and remember yet another password. Product owners can thus use WebAuthn to remove customer barriers while creating their application, letting users get to the “aha” moment quicker and more consistently. Moreover, not having to worry about managing and storing passwords allows developers and product teams to focus more time and effort on their application.  

Better security and trust

WebAuthn removes the inherent weaknesses of passwords by relying on registered user devices or security keys for authentication. This greatly reduces an organization’s attack surface: since only public data is stored in their database, it’s not as attractive a target as before for attackers to exfiltrate sensitive data. WebAuthn makes it much harder (verging on impossible) for attackers to perform account takeover

As a result, WebAuthn is a signifier of business trust for customers. Using strong and secure authentication lets customers know that their data is safe and unphishable when they log into an app using WebAuthn.

More WebAuthn resources

Interested in learning more about WebAuthn and passwordless authentication?