March 2019 was a watershed moment in our online lives. The World Wide Web Consortium (W3C) and FIDO announced WebAuthn as the official web standard for password-free logins. In the years since, most browsers and around 95% of global user devices support this authentication protocol.
But what’s so revolutionary about WebAuthn? To get to the answer you need to understand the basics of WebAuthn first — how it works and what makes it a safer and more user-friendly alternative to passwords. So let’s dive in.
What led to the creation of WebAuthn
Before defining WebAuthn, it’s important to understand how most Internet users are authenticated today (and the challenges that come with it).
Passwords eat the world
When Fernando Corbató first presented the idea of passwords at MIT in 1960, he probably didn’t envisage them becoming the de facto authentication method. Interestingly, the advent of passwords was partly a result of technological compromise. Even though stronger authentication alternatives existed, storing passwords required far less memory for early computers.
But over the decades, password use has ballooned and has had two big ramifications: Poor user experience and poor security.
Passwords cause friction at every stage of the user’s journey, from complex registration requirements to recalling passwords for repeat visits and checkouts. This challenge is amplified by the increasing number of online accounts an average person has: 167 personal and an additional 87 work-related. And the number keeps growing every year.
Consequently, it's not surprising that users often reuse passwords across different accounts to avoid forgetting them. Which brings us to the next point: The security of passwords.
Despite being intended to secure accounts, passwords often achieve the opposite. Rather than being a secure padlock to keep bad folks out, passwords are an attractive honey pot that draws them in. Credential stuffing and other brute force attacks — during which passwords are compromised, one way or the other — continue to be the root cause of account takeover. The 2024 Verizon DBIR indicates that the number of web application attacks stemming from passwords continues to grow.
Hence, the birth of WebAuthn. It was created with the goal of authenticating users without passwords, improving both security and convenience.
What is WebAuthn?
WebAuthn, short for Web Authentication API, is an open standard that uses public-key cryptography to enable web applications to register and authenticate users without the need for passwords. The WebAuthn specification was published by W3C and FIDO, in collaboration with industry heavyweights like Apple, Google, IBM, Intel, Microsoft, and Mozilla.
Instead of using knowledge-based factors (i.e. passwords), WebAuthn leverages possession- and inherence-based factors (e.g., biometrics) to provide a more secure and convenient user journey.
The tenets of WebAuthn
To understand the principle behind WebAuthn, we need to understand public-key cryptography.
Many password-borne security and business challenges happen because passwords are a shared secret between a client and a server. This means an attacker only needs a password to fully impersonate their victim.
Public-key cryptography, on the other hand, uses a private-public keypair where:
The public key is used to encrypt the data, is stored on the server, and can be shared with everyone.
The private key is used to decrypt the data, is stored on a user's device, and is never shared with anyone.
This is also called asymmetric encryption since it uses two keys, each of which is incomplete without the other. A good brick-and-mortar analogy is a personal physical mailbox with different keys to deposit and access mail, which this video explains in more detail.
WebAuthn was created upon three core tenets:
Strong: WebAuthnn is backed by Hardware Security Modules (HSMs) that can safely store private keys and reliably perform the needed cryptographic operations for WebAuthn. HSMs are tamper-resistant, which makes WebAuthn robust enough to resist cyberattacks.
Scoped: A keypair can be used only for the specific origin where it was created. A keypair registered at “descope[.]com” cannot be used by “pretendingtobedescope[.]com”. This reduces the threat of attackers creating fake phishing sites to steal credentials.
Attested: During keypair generation, servers have the option to request attestation in the form of a certificate from authenticators. This allows the server to verify that the public key came from a trusted authenticator.
WebAuthn benefits
Using passwordless methods, WebAuthn takes authentication a step forward to incrementally improving security and user experience. It benefits pretty much every stakeholder on the Internet except cybercriminals.
Better security
WebAuthn significantly increases resistance to a variety of common cybersecurity threats like phishing, credential theft, and man-in-the-middle attacks by ensuring that the private key remains on the user's device.
This cryptographic approach makes stolen or intercepted data useless to attackers. Additionally, WebAuthn facilitates stronger authentication by incorporating methods such as biometrics, hardware keys, or OTPs, which can be part of a multi-factor authentication flow.
Improved user experience
By eliminating traditional passwords, WebAuthn offers a seamless and efficient way for users to access services, drastically reducing the hassle of remembering different passwords and the risk of password fatigue. This not only simplifies the login process but also boosts overall user satisfaction and engagement with web applications.
Faster time to market
For developers and product owners, WebAuthn reduces the complexity and security risks associated with password management, allowing them to concentrate more on refining the application. This shift in focus can accelerate the development process and bring innovations to market more swiftly.
Enhanced privacy
WebAuthn is meticulously designed to ensure a minimal exchange of personal data during the authentication process, primarily sharing only the public key and certain metadata. This not only guards against the misuse of personal information but also ensures that users are not subjected to cross-service tracking or profiling, thus offering more privacy protection.
How WebAuthn works
The main entities involved in a WebAuthn flow are:
The user: The person trying to register or authenticate to the application.
The user agent: Usually a web browser, this entity mediates all communication between the different entities involved in the flow.
The relying party: The web property (website, app) to which the user is trying to gain access.
The authenticator: A piece of hardware (e.g. phones, YubiKeys, device-based biometrics like Windows Hello and Apple Touch ID) that generates keypairs, signs digital certificates, and gets user authorization during the registration or login process.
Try out Virtual WebAuthn, an open-source set of Go tools to help developers test WebAuthn flows without needing a browser or an actual authenticator.
Registration using WebAuthn
Here's an example of WebAuthn-based user registration on “bakedpotato[.]com”. This process is also known as the registration ceremony.
Step 1: The user clicks the “Register” button on “bakedpotato[.]com” on their web browser (user agent).
Step 2: The authenticating server for “bakedpotato[.]com” (relying party) issues a challenge to the user agent to enable WebAuthn login.
Step 3: The user agent sends the challenge to the authenticator along with a directive to create new credentials, since this is the first time the user is registering on “bakedpotato[.]com”.
Step 4: The authenticator prompts the user to authenticate themselves (e.g. using Touch ID on an Apple device, touching a YubiKey).
Step 5: Now that user authorization for the process is complete, the authenticator creates a new keypair (a public and private key) and uses the private key to sign the challenge issued by the relying party.
Step 6: The authenticator sends the signed challenge, the public key, and other associated details to the relying party via the user agent.
Step 7: The relying party uses the public key to validate that the challenge was signed by the corresponding private key (i.e. that the registration is legitimate).
Step 8: The user is successfully registered. The relying party stores the public key and other details against the respective username for future use.
Authentication using WebAuthn
Here’s what happens when the same user tries to log in to “bakedpotato[.]com” after a successful registration. This process is also known as the authentication ceremony.
Step 1: The user clicks the “Login” button on “bakedpotato[.]com” on their web browser (user agent) and enters their username.
Step 2: The authenticating server (relying party) issues a challenge to the user agent. It also sends along the private key ID that it stored during registration.
Step 3: The user agent sends the challenge and private key ID to the authenticator.
Step 4: The authenticator prompts the user to authenticate themselves (e.g. using Touch ID on an Apple device, touching a YubiKey).
Step 5: Once user authorization is granted, the authenticator uses the provided private key ID to fetch the generated keypair. It then uses the private key to sign the challenge issued by the relying party in Step 2.
Step 6: The authenticator sends the signed challenge and other associated details to the relying party via the user agent.
Step 7: The relying party uses the saved public key to validate that the challenge was signed by the corresponding private key (i.e. that the authentication attempt is legitimate).
Step 8: The user is successfully authenticated.
WebAuthn vs FIDO2
WebAuthn is often used interchangeably with FIDO2. While they are very closely linked, they are not exactly the same.
FIDO2 is an open standard developed by the FIDO Alliance that enables users to log into applications without using passwords on both desktop and mobile environments. Instead of passwords, FIDO authentication uses registered devices or FIDO2 security keys to validate user identities.
FIDO2 consists of two components:
The Web Authentication API (WebAuthn), which enables applications to authenticate users with possession-based and biometric authentication.
The Client to Authenticator Protocol (CTAP), which enables the client to communicate with a roaming authenticator such as a hardware security key or a smartphone.
Essentially, WebAuthn is one of the two core components of FIDO2 that enables websites to add passwordless authentication on supported browsers and platforms. The other core component of FIDO2 – CTAP – is complementary to WebAuthn. CTAP governs the communication between the client and roaming / external authenticators like security keys or mobile phones.
An easy implementation of WebAuthn biometrics with Descope
Learning and debugging WebAuthn can be a complex and time-consuming process. Descope helps developers easily add WebAuthn-based biometrics to their apps with no-code workflows, SDKs, and APIs.
Sign up for a Free Forever account with Descope and add WebAuthn to your app with a few lines of code. Have questions about our platform? Book time with our auth experts below.
