WebAuthn

References

• WebAuthn Wikipedia Article

Notes

Web Authentication (WebAuthn) is a web standard published by the World Wide Consortium (W3C). WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance. The goal of the project is to standardize the interface for authenticating users to web-based applications and services using public-key cryptography. WebAuthn credentials (which are themselves FIDO credentials) that are available across multiple devices are commonly referred to as passkeys.

On the client side, support for WebAuthn can be implemented in a variety of ways. The underlying cryptographic operations are performed by an authenticator, which is an abstract functional model that is mostly agnostic with respect to how the key material is managed. This makes it possible to implement WebAuthn purely in software. Sensitive cryptographic operations can be offloaded to roaming hardware autrhenticator that can in turn be accessed via Bluetooth or near-field communications. Unlike legacy U2F, Web Authentication is resilient to verifier impersonation: that is, it is resilient to phishing attacks, but unlike U2F, WebAuthn does not require a traditional password. Moreover, a roaming hardware authenticator is resistant to malware since the private key material is at no time accessible to software running on the host machine.

FIDO2 is the successor to FIDO Universal 2nd Factor (U2F). Whereas U2F only supports multi-factor mode, having been designed to strengthen existing username/password-based login flows, FIDO2 adds support for single-factor mode. In multi-factor mode, the authenticator is activated by a test of user presence, which usually consists of a simple button push; no password in required. In single-factor mode, the authenticator (something you have) performs user verification. Depending on the authenticator capabilities, this can be:

• something you know: a secret such as PIN, passcode, or swipe pattern
• something you are: a biometric such as fingerprint, iris, or voice

Regardless of mode, the authenticator never shares its secrets or biometric data with the website. Moreover, a single user's secret or biometric works with all websites, as the authenticator will select the correct cryptographic key material to use for the service requesting authentication after user verification was completed successfully.

Advantages over Traditional Password-Based Authentication

WebAuthn addresses by design many inherent issues in traditional password-based authentication

• Secure Credential Generation and Storage: WebAuthn generates unique credentials for each website using robust algorithms, storing them securely in trusted authenticators. This eliminates common vulnerabilities such as:
• • Weak passwords that can be brute forced
  • Poor client side password storage
  • Password reusage cross multiple websites
• No Server-Side Credential Storage: The private part of a credential is never stored on a server, eliminating risks and vulnerabilities such as:
• • Insecure password storage in databases
  • Database leaks exposing passwords
  • Mandatory, periodic password changes
• Unique Credentials for Each Website: WebAuthn ensures credentials are unique per website, eliminating the following risks and vulnerabilities:
• • Credential stuffing attacks, where attackers use credentials from one data breach cross multiple sites
  • Phishing attacks, as credentials cannot be reused or misapplied to different websites

Overview

Like its predecessor FIDO UDF, W3C Web Authentication (WebAuthn) involves a website, a web browser, and an authenticator:

• The website is a conforming WebAuthn relying party
• The browser is a conforming WebAuthn client
• The authenticator is a FIDO2 authenticator, that is, it is assumed to be compatible with the WebAuthn client

Authentication

The authenticator is a multi-factor cryptographic authenticator that uses public-key cryptography to sign an authentication assertion targeted at the WebAuthn Relying Party. Assuming the authenticator uses a PIN for user verification, the authenticator itself is something you have while the PIN is something you know. To initiate the WebAuthn authentication flow, the WebAuthn Relying Party indicates its intentions to the WebAuthn Client via JavaScript. The WebAuthn Client communicates with the authenticator using a JavaScript API implemented in the browser. A roaming authenticator conforms to the FIDO Client to Authenticator Protocol.

Registration

When the WebAuthn Relying Party receives the signed authentication assertion from the browser, the digital signature on the assertion is verified using a trusted public key for the user. To obtain a public key for the user, the WebAuthn Relying Party initiates a WebAuthn registration flow that is similar to the authentication flow illustrated above.

API

WebAuthn implements an extension of the W3C's more general Credential Management API, which is an attempt to formalize the interaction between websites and web browsers when exchanging user credentials. The Web Authentication API extends the Credential Management navigator.credentials.create() and navigator.credentials.get() JavaScript methods so they can accept a publicKey parameter. The create() method is used for registering public key authenticators as part of associating them with user accounts (possibly at initial account creation time but more likely when adding a new security device to an existing account) while the get() method is used for authentication.

To check if a browser supports WebAthn, scripts should check if the window.PublicKeyCredential interface is defined. In addition to PublicKeyCredential, the standard also defines the AuthenticatorResponse, AuthenticatorAttestationResponse, and AuthenticatorAssertionResponse interfaces in addition to a variety of dictionaries and other datatypes.