WebAuthn

Last updated

Web Authentication
AbbreviationWebAuthn
First published31 May 2016 (2016-05-31)
Latest versionLevel 2 Recommendation
21 April 2021 (2021-04-21)
Preview versionLevel 3 (FPWD)
15 December 2021 (2021-12-15)
Organization FIDO2 Project (FIDO Alliance and W3C)
Committee Web Authentication Working Group
Editors
Current editors
  • Jeff Hodges (Google)
  • J.C. Jones (Mozilla)
  • Michael B. Jones (Microsoft)
  • Akshay Kumar (Microsoft)
  • Emil Lundberg (Yubico)
Previous editors
  • Dirk Balfanz (Google)
  • Vijay Bharadwaj (Microsoft)
  • Arnar Birgisson (Google)
  • Alexei Czeskis (Google)
  • Hubert Le Van Gong (PayPal)
  • Angelo Liao (Microsoft)
  • Rolf Lindemann (Nok Nok Labs)
Base standards
  • File API
  • WHATWG Encoding Standard
  • Unicode AUX #29: Text Segmentation
Domain Authentication

Web Authentication (WebAuthn) is a web standard published by the World Wide Web Consortium (W3C). [1] [2] [3] WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance. [4] The goal of the project is to standardize an interface for authenticating users to web-based applications and services using public-key cryptography. WebAuthn credentials (which are themselves FIDO credentials) that are available across multiple devices are commonly referred to as passkeys. [5]

Contents

On the client side, support for WebAuthn can be implemented in a variety of ways. The underlying cryptographic operations are performed by an authenticator, which is an abstract functional model that is mostly agnostic with respect to how the key material is managed. This makes it possible to implement support for WebAuthn purely in software, making use of a processor's trusted execution environment or a Trusted Platform Module (TPM). Sensitive cryptographic operations can also be offloaded to a roaming hardware authenticator that can in turn be accessed via USB, Bluetooth Low Energy, or near-field communications (NFC). A roaming hardware authenticator conforms to the FIDO Client to Authenticator Protocol (CTAP), [6] making WebAuthn effectively backward compatible with the FIDO Universal 2nd Factor (U2F) standard. [7]

Like legacy U2F, Web Authentication is resilient to verifier impersonation; that is, it is resistant to phishing attacks, [8] but unlike U2F, WebAuthn does not require a traditional password. [9] Moreover, a roaming hardware authenticator is resistant to malware since the private key material is at no time accessible to software running on the host machine.

The WebAuthn Level 1 and 2 standards were published as W3C Recommendations on 4 March 2019 and 8 April 2021 respectively. [1] [10] [11] A Level 3 specification is currently a First Public Working Draft (FPWD). [12]

Background

FIDO2 is the successor to FIDO Universal 2nd Factor (U2F). Whereas U2F only supports multi-factor mode, having been designed to strengthen existing username/password-based login flows, FIDO2 adds support for single-factor mode. In multi-factor mode, the authenticator is activated by a test of user presence, which usually consists of a simple button push; no password is required. In single-factor mode, the authenticator (something you have) performs user verification. [13] Depending on the authenticator capabilities, this can be: [14]

Regardless of mode, the authenticator never shares its secrets or biometric data with the website. [15] Moreover, a single user's secret or biometric works with all websites, as the authenticator will select the correct cryptographic key material to use for the service requesting authentication after user verification was completed successfully.

A secret and biometric on the authenticator can be used together, similarly to how they would be used on a smartphone. For example, a fingerprint is used to provide convenient access to your smartphone but occasionally fingerprint access fails, in which case a PIN can be used.

Advantages over traditional password-based authentication

WebAuthn addresses by design many inherent issues in traditional password-based authentication:

Overview

Like its predecessor FIDO U2F, W3C Web Authentication (WebAuthn) involves a website, a web browser, and an authenticator: [1]

WebAuthn specifies how a claimant demonstrates possession and control of a FIDO2 authenticator to a verifier called the WebAuthn Relying Party. The authentication process is mediated by an entity called the WebAuthn Client, which is little more than a conforming web browser.

Authentication

A typical Web Authentication (WebAuthn) flow Passwordless Web Authentication.svg
A typical Web Authentication (WebAuthn) flow

For the purposes of illustration, we assume the authenticator is a roaming hardware authenticator (see below for other options). In any case, the authenticator is a multi-factor cryptographic authenticator that uses public-key cryptography to sign an authentication assertion targeted at the WebAuthn Relying Party. Assuming the authenticator uses a PIN for user verification, the authenticator itself is something you have while the PIN is something you know.

To initiate the WebAuthn authentication flow, [16] the WebAuthn Relying Party indicates its intentions to the WebAuthn Client (i.e., the browser) via JavaScript. The WebAuthn Client communicates with the authenticator using a JavaScript API implemented in the browser. A roaming authenticator conforms to the FIDO Client to Authenticator Protocol.

WebAuthn does not strictly require a roaming hardware authenticator. Alternatively, a software authenticator (e.g., implemented on a smartphone) or a platform authenticator (i.e., an authenticator implemented directly on the WebAuthn Client Device) may be used. Relevant examples of platform authenticators include Windows Hello [17] and the Android operating system. [18]

The illustrated flow relies on PIN-based user verification, which, in terms of usability, is only a modest improvement over ordinary password authentication. In practice, the use of biometrics for user verification can improve the usability of WebAuthn.[ citation needed ] The logistics behind biometrics are still poorly understood, however. There is a lingering misunderstanding among users that biometric data is transmitted over the network in the same manner as passwords, which is not the case. [19] [20]

Registration

When the WebAuthn Relying Party receives the signed authentication assertion from the browser, the digital signature on the assertion is verified using a trusted public key for the user.

To obtain a public key for the user, the WebAuthn Relying Party initiates a WebAuthn registration flow [21] that is similar to the authentication flow illustrated above. The primary difference is that the authenticator now signs an attestation statement with its attestation private key. The signed attestation statement contains a copy of the public key that the WebAuthn Relying Party ultimately uses to verify a signed authentication assertion. The attestation statement also contains metadata describing the authenticator itself.[ citation needed ]

The digital signature on the attestation statement is verified with the trusted attestation public key for that particular model of authenticator. How the WebAuthn Relying Party obtains its store of trusted attestation public keys is unspecified. One option is to use the FIDO metadata service. [22]

The attestation type specified in the JavaScript determines the trust model. For instance, an attestation type called self-attestation may be desired, for which the trust model is essentially trust on first use.

Support

Example of WebAuthn implementation (Bitwarden for Discord on Firefox) Bitwarden Passkey window screenshot.png
Example of WebAuthn implementation (Bitwarden for Discord on Firefox)

The WebAuthn Level 1 standard was published as a W3C Recommendation by the Web Authentication Working Group on 4 March 2019. [1] [10] [23] WebAuthn is supported by Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari [10] and Opera. [24]

The desktop version of Google Chrome has supported WebAuthn since version 67. [25] Firefox, which had not fully supported the previous FIDO U2F standard, included and enabled WebAuthn in Firefox version 60, released on 9 May 2018. [26] An early Windows Insider release of Microsoft Edge (Build 17682) implemented a version of WebAuthn that works with both Windows Hello as well as external security keys. [27]

Existing FIDO U2F security keys are largely compatible with the WebAuthn standard, though WebAuthn added the ability to reference a unique per-account "user handle" identifier, which older authenticators are unable to store. [1]

One of the first FIDO2-compatible authenticators was the second-generation Security Key by Yubico, announced on 10 April 2018. [28] The first FIDO2-compatible authenticators with a display was Trezor Model T by SatoshiLabs, announced on 6 November 2019. [29] Trezor Model T was also the first authenticator that allowed users to select which FIDO2 resident credential should be used directly on a device.

The first Security Level 2 certified FIDO2 key, called "Goldengate" was announced one year later by eWBM on 8 April 2019. [30] [31]

Dropbox announced support for WebAuthn logins (as a 2nd factor) on 8 May 2018. [32]

Apple announced that Face ID or Touch ID could be used as a WebAuthn platform authenticator with Safari on 24 June 2020. [33]

API

WebAuthn implements an extension of the W3C's more general Credential Management API, which is an attempt to formalize the interaction between websites and web browsers when exchanging user credentials. The Web Authentication API [34] [35] extends the Credential Management navigator.credentials.create() and navigator.credentials.get() JavaScript methods so they accept a publicKey parameter. The create() method is used for registering public key authenticators as part of associating them with user accounts (possibly at initial account creation time but more likely when adding a new security device to an existing account) while the get() method is used for authenticating (such as when logging in).

To check if a browser supports WebAuthn, scripts should check if the window.PublicKeyCredential interface is defined. In addition to PublicKeyCredential, the standard also defines the AuthenticatorResponse, AuthenticatorAttestationResponse, and AuthenticatorAssertionResponse interfaces in addition to a variety of dictionaries and other datatypes.

The API does not allow direct access to or manipulation of private keys, beyond requesting their initial creation.

Reception

In August 2018, Paragon Initiative Enterprises conducted a security audit of the WebAuthn standard. While they could not find any specific exploits, they revealed some serious weaknesses in the way the underlying cryptography is used and mandated by the standard. [36]

The main points of criticism revolve around two potential issues that were problematic in other cryptographic systems in the past and therefore should be avoided in order to not fall victim to the same class of attacks:

Paragon Initiative Enterprises also criticized how the standard was initially developed, as the proposal was not made public in advance and experienced cryptographers were not asked for suggestions and feedback. Hence the standard was not subject to broad cryptographic research from the academic world.

Despite these shortcomings, Paragon Initiative Enterprises still encourage users to continue to use WebAuthn but have come up with some recommendations for potential implementers and developers of the standard that they hope can be implemented before the standard is finalized. Avoiding such mistakes as early as possible would protect the industry from any challenges that are introduced by broken standards and the need for backwards compatibility.

ECDAA was only designed to be used in combination with device attestation. This particular feature of WebAuthn is not necessarily required for authentication to work. Current implementations allow the user to decide whether an attestation statement is sent during the registration ceremony. Independently, relying parties can choose to require attestation or not. ECDAA was removed from WebAuthn Level 2 as it was not implemented by browsers nor relying parties. [38]

See also

Related Research Articles

An authenticator is a means used to confirm a user's identity, that is, to perform digital authentication. A person authenticates to a computer system or application by demonstrating that he or she has possession and control of an authenticator. In the simplest case, the authenticator is a common password.

<span class="mw-page-title-main">Public key infrastructure</span> System that can issue, distribute and verify digital certificates

A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption.

<span class="mw-page-title-main">Single sign-on</span> Authentication scheme

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single SSO ID to any of several related, yet independent, software systems.

<span class="mw-page-title-main">Security token</span> Device used to gain access to restricted resource

A security token is a peripheral device used to gain access to an electronically restricted resource. The token is used in addition to, or in place of, a password. Examples of security tokens include wireless key cards used to open locked doors, a banking token used as a digital authenticator for signing in to online banking, or signing transactions such as wire transfers.

<span class="mw-page-title-main">Digest access authentication</span> Method of negotiating credentials between web server and browser

Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials, such as username or password, with a user's web browser. This can be used to confirm the identity of a user before sending sensitive information, such as online banking transaction history. It applies a hash function to the username and password before sending them over the network. In contrast, basic access authentication uses the easily reversible Base64 encoding instead of hashing, making it non-secure unless used in conjunction with TLS.

Data Protection Application Programming Interface (DPAPI) is a simple cryptographic application programming interface available as a built-in component in Windows 2000 and later versions of Microsoft Windows operating systems. In theory, the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy. A detailed analysis of DPAPI inner-workings was published in 2011 by Bursztein et al.

Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.

Password fatigue is the feeling experienced by many people who are required to remember an excessive number of passwords as part of their daily routine, such as to log in to a computer at work, undo a bicycle lock or conduct banking from an automated teller machine. The concept is also known as password chaos, or more broadly as identity chaos.

<span class="mw-page-title-main">Multi-factor authentication</span> Method of computer access control

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

<span class="mw-page-title-main">SQRL</span> Draft open standard for identity verification

SQRL or Secure, Quick, Reliable Login is a draft open standard for secure website login and authentication. The software typically uses a link of the scheme sqrl:// or optionally a QR code, where a user identifies via a pseudonymous zero-knowledge proof rather than providing a user ID and password. This method is thought to be impervious to a brute-force password attack or data breach. It shifts the burden of security away from the party requesting the authentication and closer to the operating-system implementation of what is possible on the hardware, as well as to the user. SQRL was proposed by Steve Gibson of Gibson Research Corporation in October 2013 as a way to simplify the process of authentication without the risk of revelation of information about the transaction to a third party.

<span class="mw-page-title-main">FIDO Alliance</span> Industry consortium working on authentication mechanisms

The FIDOAlliance is an open industry association launched in February 2013 whose stated mission is to develop and promote authentication standards that "help reduce the world’s over-reliance on passwords". FIDO addresses the lack of interoperability among devices that use strong authentication and reduces the problems users face creating and remembering multiple usernames and passwords.

<span class="mw-page-title-main">YubiKey</span> Hardware authentication device by Yubico

The YubiKey is a hardware authentication device manufactured by Yubico to protect access to computers, networks, and online services that supports one-time passwords (OTP), public-key cryptography, authentication, and the Universal 2nd Factor (U2F) and FIDO2 protocols developed by the FIDO Alliance. It allows users to securely log into their accounts by emitting one-time passwords or using a FIDO-based public/private key pair generated by the device. YubiKey also allows storing static passwords for use at sites that do not support one-time passwords. Google, Amazon, Microsoft, Twitter, and Facebook use YubiKey devices to secure employee accounts as well as end-user accounts. Some password managers support YubiKey. Yubico also manufactures the Security Key, a similar lower-cost device with only FIDO2/WebAuthn and FIDO/U2F support.

Universal 2nd Factor (U2F) is an open standard that strengthens and simplifies two-factor authentication (2FA) using specialized Universal Serial Bus (USB) or near-field communication (NFC) devices based on similar security technology found in smart cards. It is succeeded by the FIDO2 Project, which includes the W3C Web Authentication (WebAuthn) standard and the FIDO Alliance's Client to Authenticator Protocol 2 (CTAP2).

The Web Authentication Working Group, created by the World Wide Web Consortium (W3C) on February 17, 2016, has for mission, in the Security Activity, to define a client-side API providing strong authentication functionality to Web Applications.

Token Binding is a proposed standard for a Transport Layer Security (TLS) extension that aims to increase TLS security by using cryptographic certificates on both ends of the TLS connection. Current practice often depends on bearer tokens, which may be lost or stolen. Bearer tokens are also vulnerable to man-in-the-middle attacks or replay attacks. In contrast, bound tokens are established by a user agent that generates a private-public key pair per target server, providing the public key to the server, and thereafter proving possession of the corresponding private key on every TLS connection to the server.

Biometric tokenization is the process of substituting a stored biometric template with a non-sensitive equivalent, called a token, that lacks extrinsic or exploitable meaning or value. The process combines the biometrics with public-key cryptography to enable the use of a stored biometric template for secure or strong authentication to applications or other systems without presenting the template in its original, replicable form.

The Web Cryptography API is the World Wide Web Consortium’s (W3C) recommendation for a low-level interface that would increase the security of web applications by allowing them to perform cryptographic functions without having to access raw keying material. This agnostic API would perform basic cryptographic operations, such as hashing, signature generation and verification and encryption as well as decryption from within a web application.

Credential Management, also referred to as a Credential Management System (CMS), is an established form of software that is used for issuing and managing credentials as part of public key infrastructure (PKI).

The Client to Authenticator Protocol (CTAP) or X.1278 enables a roaming, user-controlled cryptographic authenticator to interoperate with a client platform such as a laptop.

<span class="mw-page-title-main">Passwordless authentication</span> Identity authentication method

Passwordless authentication is an authentication method in which a user can log in to a computer system without entering a password or any other knowledge-based secret. In most common implementations users are asked to enter their public identifier and then complete the authentication process by providing a secure proof of identity through a registered device or token.

References

  1. 1 2 3 4 5 Balfanz, Dirk; Czeskis, Alexei; Hodges, Jeff; Jones, J.C.; Jones, Michael B.; Kumar, Akshay; Liao, Angelo; Lindemann, Rolf; Lundberg, Emil (eds.). "Web Authentication: An API for accessing Public Key Credentials Level 1 (latest)". World Wide Web Consortium . Retrieved 4 March 2019.
  2. "Web Authentication Working Group". World Wide Web Consortium . Retrieved 11 May 2018.
  3. Strickland, Jonathan (18 March 2019). "What is WebAuthn". TechStuff. iHeartMedia. 20:35 minutes in. Retrieved 20 March 2019.
  4. "FIDO2 Project". FIDO Alliance. Retrieved 11 May 2018.
  5. "White Paper: Multi-Device FIDO Credentials" (PDF). FIDO Alliance. March 2022. p. 6. Retrieved 20 May 2024.
  6. Brand, Christiaan; Czeskis, Alexei; Ehrensvärd, Jakob; Jones, Michael B.; Kumar, Akshay; Lindemann, Rolf; Powers, Adam; Verrept, Johan, eds. (30 January 2019). "Client to Authenticator Protocol (CTAP)". FIDO Alliance. Retrieved 7 March 2019.
  7. "WebAuthn / CTAP: Modern Authentication" (PDF). World Wide Web Consortium. 10 December 2018. Retrieved 11 March 2019.
  8. Kan, Michael (7 March 2019). "Google: Phishing Attacks That Can Beat Two-Factor Are on the Rise". PC Magazine. Retrieved 8 March 2019.
  9. "Practical passwordless authentication comes a step closer with WebAuthn". Ars Technica . 10 April 2018. Retrieved 16 October 2024.
  10. 1 2 3 "W3C and FIDO Alliance Finalize Web Standard for Secure, Passwordless Logins". World Wide Web Consortium. 4 March 2019. Retrieved 4 March 2019.
  11. Balfanz, Dirk; Czeskis, Alexei; Hodges, Jeff; Jones, J.C.; Jones, Michael B.; Kumar, Akshay; Lindemann, Rolf; Lundberg, Emil, eds. (8 April 2021). "Web Authentication: An API for accessing Public Key Credentials Level 2" (Latest ed.). World Wide Web Consortium . Retrieved 27 November 2022.
  12. Balfanz, Dirk; Czeskis, Alexei; Hodges, Jeff; Jones, J.C.; Jones, Michael B.; Kumar, Akshay; Lindemann, Rolf; Lundberg, Emil, eds. (4 April 2021). "Web Authentication: An API for accessing Public Key Credentials Level 3" (First Public Working Draft ed.). World Wide Web Consortium . Retrieved 24 December 2021.
  13. "User Presence vs User Verification" . Retrieved 19 February 2024.
  14. Baghdasaryan, Davit; Hill, Brad (2 July 2018). "FIDO Registry of Predefined Values". fidoalliance.org. FIDO Alliance. Retrieved 16 June 2019.
  15. "Web Authentication: An API for accessing Public Key Credentials Level 1 § Terminology: User Verification". www.w3.org. W3C. 4 March 2019. Retrieved 16 June 2019.
  16. "Web Authentication API". Mozilla. Section Authentication . Retrieved 18 March 2019.
  17. Simons, Alex (20 November 2018). "Secure password-less sign-in for your Microsoft account using a security key or Windows Hello". Microsoft . Retrieved 6 March 2019.
  18. "Android Now FIDO2 Certified, Accelerating Global Migration Beyond Passwords". BARCELONA: FIDO Alliance. 25 February 2019. Retrieved 6 March 2019.
  19. "Touch ID and Beyond: Duo's Plans for WebAuthn". Duo Security. 5 March 2019. Retrieved 8 March 2019.
  20. Steele, Nick (27 February 2019). "How WebAuthn aims to solve the password problem". Help Net Security. Retrieved 8 March 2019.
  21. "Web Authentication API". Mozilla. Section Registration . Retrieved 18 March 2019.
  22. "Metadata Service". FIDO Alliance . Retrieved 18 March 2019.
  23. Protalinski, Emil (4 March 2019). "W3C Approves WebAuthn as the Web Standard for Password-Free Logins".
  24. "Can I use Web Authentication API?" . Retrieved 7 March 2019.
  25. Brand, Christiaan (3 June 2018). "Enabling Strong Authentication with WebAuthn". Google Developers. Retrieved 25 June 2018.
  26. Shankland, Stephen (9 May 2018). "Firefox moves browsers into post-password future with WebAuthn tech". CNET. Retrieved 11 May 2018.
  27. Sarkar; et al. (23 May 2018). "Announcing Windows 10 Insider Preview Build 17682". Microsoft. Retrieved 25 June 2018.
  28. "Yubico Launches New Developer Program and Security Key for FIDO2 and WebAuthn W3C Specifications" (Press release). 10 April 2018. Retrieved 11 May 2018.
  29. "Make Passwords a Thing of the Past, FIDO2 Is Now Available on Trezor Model T". 6 November 2019. Retrieved 6 November 2019.
  30. "eWBM: eWBM's Goldengate Fingerprint Reader is First to Get FIDO L2 Certification" (Press release). 8 April 2019. Retrieved 15 June 2019.
  31. "Mobile ID World, Alex Perala: eWBM's Goldengate Fingerprint Reader is First to Get FIDO L2 Certification" (Press release). 9 April 2019. Retrieved 15 June 2019.
  32. Girardeau, Brad (8 May 2018). "Introducing WebAuthn support for secure Dropbox sign in". Dropbox Tech Blog. Dropbox. Retrieved 11 May 2018.
  33. "Safari 14 Release Notes". Apple Developer Documentation. 16 December 2022. Retrieved 16 December 2022.
  34. "Web Authentication API". Mozilla . Retrieved 16 March 2019.
  35. Ackermann, Yuriy (15 January 2019). "Introduction to WebAuthn API". Medium. Retrieved 8 March 2019.
  36. "Security Concerns Surrounding WebAuthn: Don't Implement ECDAA (Yet)". Paragon Initiative Enterprises Blog. 23 August 2018. Retrieved 9 October 2018.
  37. "FIDO ECDAA Algorithm". FIDO Alliance. 27 February 2018. Retrieved 9 October 2018.
  38. "Remove ECDAA? · Issue #1410 · w3c/webauthn". GitHub. 28 April 2020. Retrieved 3 June 2020.