WebAuthn 101: Passwordless Identity Verification

What is WebAuthn?

Businesses and their customers are under attack by criminals who commit identity fraud. The Federal Trade Commission received over 1.4 million identity theft reports in 2021, the latest year for which statistics are available.

The digital economy presents a rich target for these fraudsters. In 2023, Intelligence Insider estimates that global retail e-commerce will reach $6.3 billion. At the same time, the Q3 2022 Digital Trust & Safety Index from Sift found that overall account takeovers (ATOs) rose in the first half of 2022, with the largest increases affecting fintech (71% increase), marketplaces (39% increase), and digital goods and services (37% increase).

It’s essential for businesses to be able to verify that the person attempting to access an account is really the customer who owns the account. But the passwords traditionally used for this purpose have become increasingly insecure as criminal techniques have become more sophisticated.

Web authentication (WebAuthn) is a digital identification solution that allows users to verify their identities without passwords. It’s an application programming interface (API) that enables applications using a compliant browser to talk to platform authenticators, such as a smartphone’s fingerprint reader, and cross-platform authenticators, such as a hardware security key that can be used with a laptop, tablet, or smartphone.

A Brief History of WebAuthn

Much has been written in recent years about the problems with passwords. The root of many of these issues is: since passwords must be remembered, users keep them too simple or reuse the same password for multiple accounts. A 2019 study by Google and The Harris Poll found that 59% of Americans incorporated a name or birthdate into their password. According to Forbes, Microsoft discovered that 44 million accounts were reusing passwords that appeared in a database of breached credentials. And the 2022 Verizon Data Breach Investigations Report found that 82% of hacking-related breaches used stolen passwords and/or weak passwords.

To overcome these issues, some businesses turned to multi-factor authentication (MFA). A common MFA scenario involves a customer attempting to login using their username and password and then being asked to enter a four-to-six-digit code that has been sent to a separate device (typically either via SMS or email). This increases security because it’s unlikely that a fraudster with a stolen username and password would also have the customer’s other device. But it has led to customers being more at risk of phishing scams. Phishing is when a customer receives an email or text, purportedly from a real business, that actually links to a criminal’s site where the customer is prompted to enter their information. The data is then gathered by the cybercriminals and used for fraudulent activities or, often, sold on the dark web. A decade ago, technology leaders began working to find an identity protocol that could overcome these challenges.

FIDO Alliance
In 2014, the FIDO (Fast IDentity Online) Allliance released the FIDO Universal 2nd Factor (U2F) protocol. FIDO2 represents the continued development of the U2F specification and enables the use of common devices to authenticate online services using unique cryptographic login credentials for every site. In 2016, the World Wide Web Consortium (W3C), an international community where member organizations, staff, and the public work together to develop web standards, launched a new web authentication standards effort based on FIDO2 Web APIs.

The Rise of WebAuthn
By early 2018, several leading browsers had already implemented WebAuthn and others were in the process of integrating it. This deployment within the browser community has been followed by support among access management vendors and the introduction into the market of security keys from an increasing number of vendors. In March 2019, W3C announced that WebAuthn had become the official web standard for password-free login. By January 2022, its ability to prevent credential theft put it on the U.S. Office of Management and Budget’s list of acceptable authentication methods for the federal government to implement by the end of fiscal year 2024.

How Does Web Authentication Work?

WebAuthn works by registering the authenticator with a specific application or website and creating a public-private key pair that serves as the user’s credential. The credential information encrypted by the public key and stored locally on the website’s server can only be deciphered using the private key, which is available only in the user’s authenticator. The private key is stored locally on the user’s device, while the public key is stored on the application or website’s server. This approach brings strong cryptographic principles to user registration and authentication.

Registration
Registration (also known as identity verification) occurs when a user opens an account for the first time with a website or application. A new public-private key combination is created specifically for that device and account.

For the new user, this process typically looks something like:

• They begin the process by creating and submitting a username.
• They receive a prompt on their phone to complete their registration.
• As part of completing registration, they create the ID factor, such as a fingerprint, that they will present to authenticate themselves on future visits.

Behind the scenes, the registration process looks a little different:

• In response to the submission of the username, the site’s web server sends a randomly generated, long-string challenge key along with the user ID and information about the server itself to the WebAuthn JavaScript client.
• The JavaScript client asks the browser to validate the web server ID. The browser matches the web server’s authoritative domain name to the web server ID, and then asks the authenticator to create a credential.
• It’s the responsibility of the authenticator to ensure that the user consents to all operations, so consent is confirmed before the new public-private key pair is generated. The public key and credential ID are returned to the browser to provide future proof of the integrity of the authenticator.
• A public key credential that contains a unique credential ID, client data, and the authenticator proof of integrity is created and sent to the web server.
• The server registers the user’s device by validating the signature with the public key, the authenticator proof of integrity, and that the original challenge hasn’t changed.

Identity Authentication
Identity authentication occurs when the user returns to the site or application and presents their credentials to gain access to their account.

From the user’s perspective, the process usually goes something like:

• They return to a website or application where they have an account.
• They provide their credentials on the login page.
• Their authenticator asks them to confirm that they are trying to login.
• They confirm in the authenticator, and they enter the account.

Behind the scenes, again, things look a little different:

• When the user provides their credentials, the web server generates a unique challenge key and sends the challenge and the credential ID to the web application.
• The browser validates the web server and sends the challenge and its domain name to the authenticator, asking it to authenticate the user.
• The authenticator requests user consent.
• Once the user confirms in the authenticator, access is granted.

5 Types of Web Authentication Methods

There are several methods that can be used with WebAuthn. Here are some of the most commonly used choices.

1. HTTP
   HTTP is web authentication that uses HTTP standards to secure the user’s information and verify whether the user should be able to access the account. While there are several scenarios for HTTP authentication, the basic idea is that the web server requests the user’s credentials for authentication from the client using an HTTP header. The information the client responds with is provided in the header.
2. Cookies
   Many users are familiar with cookies that enable them to be recognized when they return to a site they’ve previously visited. An HTTP cookie is a tiny bit of data sent by the website server to the user’s web browser. Cookie-based authentication uses HTTP cookies to confirm client identity. Signed HTTP cookies show the server if the cookie was modified by the web browser.
3. Session-based
   A session is a small file that the server creates after a user logs in that contains information including user ID, login time, and expiration time. The server stores this information as a session ID on a cookie in the user’s web browser. The next time the user makes a request, the browser sends the session ID to the server in an HTTP header. The web server confirms that the session ID is valid and returns the requested information.
4. Token-based
   Instead of using sessions, web applications can use JSON Web Tokens (JWT) for authentication. The server creates a JWT with a secret key and sends it to the client, which stores it. The JWT is included in the header of every request from the client. The server validates the JWT in every request and sends a response.
5. One-Time Passwords (OTP)
   A one-time password is an automatically generated string of characters that’s valid for a limited period of time to authenticate a user for one transaction or login. The authentication manager on the network server generates a number or shared secret using OTP algorithms. The same number and algorithm are used by the OTP security token on a smart card or hardware-based authenticator or an authentication app on a mobile device to match and authenticate the user.

5 Benefits of WebAuthn Passwordless Identity Verification

WebAuthn has been widely adopted for its security benefits in an age when customers expect better protection of their data by the companies with whom they do business. But improved security is only one of the benefits WebAuthn offers.

1. Accessibility
   Currently, WebAuthn is supported by Windows 10, Android platforms, and popular browsers including Google Chrome, Mozilla Firefox, Microsoft Edge, and Apple Safari. The number of authenticators built into computers and phones is also growing, which makes users familiar and comfortable with their use.  Further use of WebAuthn is being driven by the W3C’s WebAuthn Adoption Community Group which identifies and addresses obstacles that slow down adoption.
2. Better Customer Experience
   Simply by removing the burden of having to remember passwords, WebAuthn improves the customer experience. By enabling passwordless authentication, WebAuthn also makes better use of a customer’s time by speeding up login and enabling simplified logins across user devices.
3. Lower Costs
   Taking passwords out of the equation also means that businesses no longer have to create and store passwords or replace lost ones. This is significant, as Gartner has estimated that 40% of all help desk calls are related to passwords and resets, while Forrester Research estimates that each password reset costs $70.
4. Flexibility
   WebAuthn gives businesses the option to set the best security level for their customer use cases with their choice of single-factor, two-factor, and multi-factor authentication. Because it’s backwards compatible with FIDO2 U2F authenticators, businesses currently using these authenticators for two-factor authentication can continue to use them with WebAuthn.
5. Improved Security
   The public-private key approach used in WebAuthn increases security against two common methods used to commit identity fraud: credential theft/hacking and phishing. It also protects users from account takeovers and businesses from storing user credentials.

Industry Benefits of WebAuthn

While WebAuthn offers benefits for many different types of organizations, three industries where it can have a particular impact are banking, healthcare, and education.

Banking
Every $1 lost to fraud costs U.S. financial firms $4.23, a 16.2% increase from 2020, according to LexisNexis® Risk Solutions. So it’s critical for banks and fintechs to minimize their fraud due to password hacks and account takeovers. With WebAuthn, banks can implement passwordless, cryptographically protected authentication processes using passkeys and factors that are almost impossible to steal, such as fingerprints, facial scans, and other biometrics.

Healthcare
One of the results of the pandemic is increased digitization in healthcare. The U.S. HIPAA standards require that healthcare organizations “implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.” WebAuthn enables organizations to achieve this authentication with a higher level of certainty that earlier authentication protocols.

Education
Another outcome of the pandemic is that for higher and executive education, remote learning is here to stay. Because they never see the student in person, these institutions must be able to verify the student’s identity differently and with a higher degree of confidence than in traditional settings. Since there are so many organizations offering online courses and degrees, student onboarding and authentication experiences that are easy to complete can increase an institution’s competitiveness. WebAuthn enables these educators to ensure prospective students are truly who they claim to be, while students can quickly and easily onboard and login for classes and coursework.

Authentication vs. Authorization: What’s the Difference?

Authentication and authorization can sometimes seem like interchangeable terms, but they have distinct meanings. Authentication, or IDV authentication, is a process that verifies the identity of a known user. On the other hand, authorization is a process that verifies what a user can access.

WebAuthn and other security protocols integrate both authentication and authorization. To access a resource, a user must authenticate, or prove, their identity. But even if their identity is authenticated, access won’t be granted unless they are authorized for that resource.

To illustrate the difference, let’s look at two protocols that can seem similar because they are both designed to minimize the exposure of user credentials: OpenID for authentication and OAuth for authorization.

OpenID
The OpenID protocol allows users to authenticate themselves on multiple websites with credentials from a different, existing account. A common example of this is using Facebook or Google credentials to log into a wide variety of unrelated sites. From a security point of view, the user credential is only shared with Facebook, Google, or another OpenID provider, which confirms their identity for the site they want to log into. That site never sees the actual user credential.

OAuth
The OAuth protocol allows a user to authorize one application interacting with another application on their behalf without exposing their credentials. Common examples include linking accounts, such as a payment app and a bank account (e.g., Zelle and a Bank of America checking account), and allowing one app to import contacts from another. OAuth uses authorization tokens to prove an identity between users and service providers, without sharing the user credentials. The user is asked to approve the interaction, which occurs once they do.

Web Authentication Implementation Best Practices

As businesses consider implementing new WebAuthn security protocols, there are several best practices to keep in mind.

Prioritize User Experience
User experience should be at the heart of any authentication scenario. In replacing passwords that make authentication difficult for users, it’s important to ensure that the factors used in WebAuthn are simple to use, whether they’re OTPs or biometric factors, such as fingerprints or facial scans. Even for high-security multi-factor authentication, developers should make user experience a design priority.

Avoid Text Messages
Using SMS messages to send OTPs as part of a multi-factor authentication process was once regarded as highly secure, but that outlook has changed – for three main reasons:

• SIM swapping, in which a fraudster convinces the user’s carrier that they are the user who has lost their phone, has grown in incidence and in sophistication. SIM swapping results in the user’s phone number being assigned to a new SIM card on a different phone, where a fraudster can then access the SMS messages sent to the user.
• When users can synchronize and see SMS texts on their phone, laptop, and tablet, it reduces the security of multi-factor authentication because they can attempt to login and receive their OTP on the same device.
• When users can view text messages on their wireless provider’s site, the vulnerability of that account to ATO (account takeover) becomes a factor in the security of multi-factor authentication.

Store Regular Data and Sensitive Data Separately
Security is based not only on how information is protected, but who can access it. No matter how well secured and encrypted it is, it’s a mistake to store regular data together with sensitive data – including user credentials. A single repository makes it hard to keep people who should only be able to access regular data from accessing sensitive data. The more people who are granted data access, the less secure a system becomes.

Implement Web Authentication with Daon 
At a time when nearly every business has an online presence, WebAuthn offers many advantages in overcoming the risks and potential costs of using password-based authentication. The ability to increase security while making it easier for users to access their accounts improves both customer experience and trust in the organization.

Learn how Daon can help you find the right authentication solution for your business.