
What is Web Authentication (WebAuthn)? It is a new mechanism for authenticating to websites, replacing traditional username and password login credentials with security keys or built-in authenticators.
On March 4, 2019, World Wide Web Consortium (W3C) and Fast IDentity Online (FIDO) Alliance finalized the Web Authentication (WebAuthn) specification1. This web standard is a major step forward in making the web more secure, passwordless, and easy to use.
The WebAuthn specification is a major and collaborative leap forward in the evolution of simpler, stronger user authentication.
James Barclay, Senior R&D Engineer, Duo Security, a Cisco business unit
Why are we moving to a passwordless world?
81% of hacking-related breaches leveraged either stolen or weak passwords
As mentioned in the

WebAuthn solves phishing and MITM attacks in a way that is more manageable and user-friendly but does not guarantee a rapid rate of adoption. Users are slow to adopt better security. In fact, Google revealed in a presentation on January 17, 2018, that only 10% of active Google accounts have two-factor authentication (2FA)3.
How it works
Traditionally, when we sign up for an online account, we are asked to create a unique username and password. With WebAuthn, we are instead presented with several choices for authentication such as username and password combination, multi-factor authentication, or passwordless authentication.
The next time the user connects to the website, the server sends a challenge and provides a list of credentials that are registered to the individual and can also indicate where to look for the credentials – internal or external authenticator.
Authenticator choices
There are two main authenticators available: internal and external authenticators. The internal authenticators, which are referred to as platform authenticators in WebAuthn specification, are built into the device. For example, Apple’s Touch ID, Windows Hello (e.g., fingerprint or facial recognition), etc.
The external authenticators, which are referred to as roaming authenticators in WebAuthn specification, are removable from and can roam among devices. For example, a security key, smartphone, etc.
Is it better than existing solutions?
It depends. Users have different levels of risks they’re willing to take. Some users are risk-averse than others. For people who, to this day, do no use a password manager software or a sort of algorithm to remember different passwords for their accounts, then this is a great solution. It doesn’t require them to remember any passwords, which means no password reuse issues, and it’s convenient to use yet still provide strong account protection.
Conclusion
In our previous post, we highlighted the importance of utilizing multi-factor authentication. While it provides an additional layer of security, some MFA strategies fail to address phishing, MITM attacks, etc. These cyberattacks enable cybercriminals the ability to compromise accounts even with an additional layer of security in place. WebAuthn attempts to address the shortcomings of both password-based authentication and multi-factor authentication.
From a security standpoint, it is a significant step in providing users a simpler and stronger authentication mechanism. WebAuthn may take some time for full adoption, but it is definitely a step in the right direction. In the meantime, being vigilant about protecting our passwords by enabling multi-factor authentication, where possible, is a must in this day and age.
NetworkJutsu provides networking and network security consulting services for startups, a more established small and medium-sized business (SMB), or large business throughout the San Francisco Bay Area.
You might also like to read
How to improve your cybersecurity
What is multi-factor-authentication (MFA)?
______________________________________________________________________________________________________________________________
1 W3C and FIDO Alliance Finalize Web Standard for Secure, Passwordless Login
2 2.2 Billion Accounts Found In Biggest Ever Data Dump — How To Check If You’re A Victim
3 Anatomy of Account Takeover