NetworkJutsu

Network Security Consulting | San Francisco Bay Area

WebAuthn

WebAuthn: Moving to a passwordless world

By Leave a Comment

passwordless

What is Web Authentication (WebAuthn)? It is a new mechanism for authenticating to websites, replacing traditional username and password login credentials with security keys or built-in authenticators.

On March 4, 2019, World Wide Web Consortium (W3C) and Fast IDentity Online (FIDO) Alliance finalized the Web Authentication (WebAuthn) specification1. This web standard is a major step forward in making the web more secure, passwordless, and easy to use.

The WebAuthn specification is a major and collaborative leap forward in the evolution of simpler, stronger user authentication.

James Barclay, Senior R&D Engineer, Duo Security, a Cisco business unit

Why are we moving to a passwordless world?

81% of hacking-related breaches leveraged either stolen or weak passwords

As mentioned in the multi-factor authentication (MFA) article posted last month, protecting accounts using passwords has been unsuccessful for many years. Credential theft via phishing is very popular and successful social engineering attack employed by cybercriminals. In addition, there are instances where collections of user credentials are posted online2. The credentials are used to launch attacks known as a credential stuffing attack. The industry’s response to such attacks is the implementation of MFA, but some implementations do not adequately address attacks such as phishing and man-in-the-middle (MITM).

WebAuthn solves phishing and MITM attacks in a way that is more manageable and user-friendly but does not guarantee a rapid rate of adoption. Users are slow to adopt better security. In fact, Google revealed in a presentation on January 17, 2018, that only 10% of active Google accounts have two-factor authentication (2FA)3.

How it works

Traditionally, when we sign up for an online account, we are asked to create a unique username and password. With WebAuthn, we are instead presented with several choices for authentication such as username and password combination, multi-factor authentication, or passwordless authentication.

The next time the user connects to the website, the server sends a challenge and provides a list of credentials that are registered to the individual and can also indicate where to look for the credentials – internal or external authenticator.

Authenticator choices

There are two main authenticators available: internal and external authenticators. The internal authenticators, which are referred to as platform authenticators in WebAuthn specification, are built into the device. For example, Apple’s Touch ID, Windows Hello (e.g., fingerprint or facial recognition), etc.

The external authenticators, which are referred to as roaming authenticators in WebAuthn specification, are removable from and can roam among devices. For example, a security key, smartphone, etc.

Is it better than existing solutions?

It depends. Users have different levels of risks they’re willing to take. Some users are risk-averse than others. For people who, to this day, do no use a password manager software or a sort of algorithm to remember different passwords for their accounts, then this is a great solution. It doesn’t require them to remember any passwords, which means no password reuse issues, and it’s convenient to use yet still provide strong account protection.

Conclusion

In our previous post, we highlighted the importance of utilizing multi-factor authentication. While it provides an additional layer of security, some MFA strategies fail to address phishing, MITM attacks, etc. These cyberattacks enable cybercriminals the ability to compromise accounts even with an additional layer of security in place. WebAuthn attempts to address the shortcomings of both password-based authentication and multi-factor authentication.

From a security standpoint, it is a significant step in providing users a simpler and stronger authentication mechanism. WebAuthn may take some time for full adoption, but it is definitely a step in the right direction. In the meantime, being vigilant about protecting our passwords by enabling multi-factor authentication, where possible, is a must in this day and age.

NetworkJutsu provides networking and network security consulting services for startups, a more established small and medium-sized business (SMB), or large business throughout the San Francisco Bay Area.

You might also like to read

How to improve your cybersecurity
What is multi-factor-authentication (MFA)?

______________________________________________________________________________________________________________________________
1 W3C and FIDO Alliance Finalize Web Standard for Secure, Passwordless Login
2 2.2 Billion Accounts Found In Biggest Ever Data Dump — How To Check If You’re A Victim
3 Anatomy of Account Takeover