Nobody likes passwords. Users don’t like passwords because they are hard to remember and every system seems to have a unique password policy. Companies do not like passwords because they drive up support costs and reduce productivity. IT security does not like passwords because they are easily compromised. The news is filled with stories about stolen credentials, mega breaches, and reputation damage. Yet passwords remain. For years, new techniques for replacing passwords have come and gone with different levels of success.
Now there is a new standard that has a real chance to replace passwords. I know some of you are thinking that you have heard this before. A shiny new approach, but will it really work? Will it work in the real world? Will users actually adopt the new technology? Can it be implemented without requiring a massive project, expensive new infrastructure, and/or an army of consultants? This article will walk through the basics of WebAuthn and FIDO2 and how its ease of use, strong security, and industry support will accelerate the implementation of passwordless authentication and reduce the difficulty of use.
WebAuthn is a W3C specification, ratified in March of this year, that evolved out of the FIDO Alliance’s Universal Second Factor (U2F) standard. It paves the way for common deployments across browsers, operating systems and applications.
If you have heard of WebAuthn, you have probably also heard of FIDO2. FIDO2 is a term that encapsulates the WebAuthn standard and the FIDO Alliance’s Client to Authenticator Protocol version 2 (CTAP2). WebAuthn and CTAP2 work in concert to eliminate passwords.
These standards work together and establish a method for asymmetric (public-key) cryptography and origin-bound key validation to verify the authenticity of the user to the relying party. The standards also provide protection against phishing attacks as only the relying party that initially performed the registration with the FIDO-compatible security key will receive a valid response. Each registered application has its own unique public / private key pair providing an additional level of security and privacy.
WebAuthn requests that a credential be created by the authenticator for a particular RP. The authenticator provides key management and cryptographic signatures. The authenticator generates the credentials. This eliminates the need for a company to implement and manage a public key infrastructure (PKI) for end-user authentication. This streamlined approach will make implementations and adoption easier for companies. The authenticator also provides an attestation certificate that provides basic information about the authenticator that the relying party can use accordingly. Attestation proves to the relying party that the keys generated originate from a genuine device.
WebAuthn and CTAP2 take the U2F authentication model and extend it for primary login as opposed to only enabling a second factor. The specifications include user verification (biometric and/or PIN) for added security. User verification (UV) provides a multi-factor authentication and ensures if someone gets ahold of the authenticator they cannot use it without PIN or biometric information. The PIN and biometric information never leaves the authenticator, and they serve only to unlock the authenticator for use. WebAuthn can be used as a second factor and is backwards compatible with U2F-based authenticators. Users have become accustomed to logging in using fingerprint readers and PINS so this form of interaction should be readily accepted.The specification also includes the concept of user presence (UP) which requires the user to perform an action, like touching a security key, to ensure a person is involved in the event.
Putting it all together
Strong, modern authentication requires a number of systems to work together. One of the challenges with mass adoption of U2F was that not all browsers support it. That brought the FIDO Alliance and the W3C together to work on standard ways to ensure implementations work across browsers and platforms. Now, all major browsers are actively working to implement support for WebAuthn and have some form of FIDO2 functionality working today with full functionality and browser parity coming in the not-too-distant future. Having WebAuthn and CTAP2 built into browsers and platforms reduces the need to deploy client software, making implementation much easier for services, relying parties, organizations and companies.
In order to integrate WebAuthn with their applications, relying parties will need a lightweight WebAuthn server. WebAuthn capabilities are being built into Identity Provider solutions or companies can build their own using open source projects. One such project can be found at https://github.com/Yubico/java-webauthn-server
Relying parties should plan for account holders to have multiple authenticators registered. Each public-private key pair is bound to an authenticator and cannot be copied or shared by design. Since multiple security keys can be tied to an account, a relying party should allow users to name authenticators for easier tracking and management. Authenticators come in a number of form factors that provide convenient options for users to authenticate. They can be built into the computer (Windows 10 provides this capability now), into a mobile phone (Android 7+ phones can be used for FIDO 2FA at this time), or be on a keychain like the YubiKey (FIDO2 ready) . The FIDO Alliance maintains a list of authenticators that are U2F and FIDO2 certified at https://fidoalliance.org/certification/fido-certified-products/
Traditionally, a password is used for the initial authentication since it is not bound to the device. To remove passwords, the initial login scenario needs to be resolved. One way to resolve this is to use security keys to help bootstrap new devices and support a passwordless option for initial login to an RP. A new device that can be used as a FIDO2 authenticator cannot be used until it is registered with the RP. A security key that is already registered to the RP can be used to perform the initial login. After initial login, the new device can then be registered and be used as a FIDO2 authenticator.
With the confluence of secure hardware at the user’s fingertips (in the form of security keys and secure elements within devices), WebAuthn ratification, and industry adoption, there is a viable solution to replace and or dramatically reduce the use of passwords. WebAuthn will attract users with its strong security, convenience, and ease of use. Even though the user will authenticate with different authenticator form factors, with unique credentials, the process will appear seamless. The work is not done but users can count on fully viable solutions very soon.
As an identity professional, what can I do to prepare for a WebAuthn deployment? Within your company, there are a number of things that can be done to prepare for leveraging FIDO2.
Review and update policies and procedures
We have been living with passwords for a long time and have built processes with that model in mind. Processes need to be revisited if passwords are not used or significantly reduced. How will onboarding be affected? How should recovery processes be altered? What type of authenticators make sense for the company? PINs are not considered passwords and should have their own policy.
Additionally, passwords have a one-to-one relationship with an account. With FIDO2, an account can have many credentials across different devices. This subtle shift can have some dramatic impacts to a company. As an example, access policies could be written based on which authenticator or authenticator family type is being used.
Work with your IDPs and RPs to support the standard
WebAuthn is gaining a lot of traction but unless the majority of identity providers and web applications implement the technology, it will take a long time to eliminate passwords. Vendors really listen to their customers to prioritize feature requests. The more they hear from IDPros, the sooner WebAuthn will be implemented into their authentication flows.
Upgrade to the latest browsers and platforms
Though the infrastructure footprint can be minimal, the technology is highly reliant on the latest browsers and platforms. Work with your counterparts within your company to ensure that browsers and platforms are being updated.
Start planning for a pilot
WebAuthn/FIDO2 can be used today with certain websites and more will be coming online soon. A pilot will help work through all the processes that need to be updated for a successful deployment.
This article provides a high level overview of WebAuthn/FIDO2 but there are a number of details that can be explored in more detail, especially if you plan to implement WebAuthn for your own services.
If you will be attending the Identiverse conference in June, go to one of the many WebAuthn/FIDO sessions. Here is a short list of relevant sessions (details and additional sessions can be found online)
Tuesday, June 25th
- Google Masterclass: Democratizing phishing-resistant FIDO technology
- SecureAuth Masterclass: What passwordless technology can learn from American Prohibition
- Federating FIDO through a Blockchain
Wednesday, June 26th
- Ping Identity Masterclass: Implementing Passwordless Authentication with FIDO-based, Intelligent MFA
- The state of FIDO
- Netflix’s Journey with WebAuthn
Thursday, June 27th
- Standards: The Bedrock of Identity
- The next wave of Identity standards
- Ping Identity Presents: The Intelligent Future of Multi-factor Authentication
- Envisioning Authentication Beyond FIDO
Friday, June 28th
- SecureAuth Masterclass: What passwordless technology can learn from American Prohibition
- MFA for Real – reports from the field
Additionally here is a list of great resources to learn more about Webauthn and FIDO2 as well as public announcements of support:
- Follow the IDPro fido slack channel
- Google Android 7+ Phone Is Now a FIDO2 Security Key
- Microsoft Achieves FIDO2 Certification for Windows Hello
David Treece is a senior solutions architect at Yubico and an individual member of IDPro.