Everything you always wanted to know about WebAuthn
There has been a lot of excitement about WebAuthn. It’s time to dig a little deeper!
TOTP-based authenticator apps such as the KeyHub app, Google Authenticator and the Blizzard Authenticator are commonplace as a second factor (2FA) nowadays. These types of apps generate a 6 or 8 digit numerical code that you enter when a website prompts you for it. Sometimes these apps show a notification and, after confirmation by the user, send a similar code to the website in the background, preventing the user from having to type the code manually.
Recently something else has been available. The WebAuthn standard, when combined with the FIDO CTAP 2.0 standard, enables us to use a wide selection of different devices as an authenticator for our web applications. These authenticators use public-key cryptography to function as a 2nd factor or even replace the password altogether (passwordless login).
Traditional (TOTP or HOTP) authenticators share a secret between the application and the authenticator. If you know the secret, you can generate the code, and that is also basically how the application checks the code entered by the user: it just generates what the code should be and checks if it is equal.
When using WebAuthn, the authenticator generates a public-private keypair and sends the public key to the application. Verification then consists of the application sending a challenge to the authenticator, which the authenticator then encrypts with the private key and sends back to the application. The application then decrypts it using the public key to verify. As the private key never leaves the authenticator, this way of authenticating is fundamentally more secure.
WebAuthn specifies the API that the browser offers the application. Most modern browsers implement this specification, meaning all applications can use this API to talk to any compatible authenticator. The API makes it easier for application developers as there is no need to know anything specific about the authenticator. It includes provisions to select authenticators with certain capabilities. For instance, specifically selecting for a cross-platform (“roaming”) authenticator or requiring user interaction for authentication.
Physical security keys
The most well-known authenticators are the physical security keys, sometimes also called dongles, such as the Yubico Yubikey, Google Titan or Feitian ePass security keys. These keys use the FIDO CTAP 2.0 standard to communicate with the browser, which then uses the WebAuthn API with the web application.
Physical security keys can come with USB-A, USB-C or Lightning connectors and many of them also support wireless connections via NFC or Bluetooth Low-Emission. This way they can be used to secure your mobile device as well as your laptop or desktop computers.
Physical security keys have the advantage that they still work even when a mobile phone is lost, broken, or reset. They are also easy to use, requiring no more than a touch or a fingerprint scan, and they work across devices.
Security keys cost between € 30,- and € 100,- , depending upon capabilities, and volume discounts are readily available.
On the other hand, physical security keys are easier to lose than a smartphone. They tend to get lost, run over by a bus, washed in the washing machine, etc. People generally take better care of their smartphone than of a dongle.
Virtual security keys
Virtual authenticators also exist. There are so-called platform authenticators, where the operating system on your device functions as a compatible authenticator. Examples are Android (7.0+) and Windows Hello (built into Windows 10). (There is no concrete information available about any plans Apple might have to offer this functionality in iOS or iPadOS).
Advantage of these types of authenticators is that the developers of these operating systems put a lot of effort into both security and user-friendliness, and that users are already familiar with their operation.
There also seems to be room for apps for mobile platforms that can function as a FIDO compatible authenticator. Using CTAP, your smartphone could conceivably even function as an authenticator for the browser on your laptop!
Unfortunately, information about these apps seems to be scarce and often confusing due to their developer’s tendency to throw every FIDO-related term in a buzzword-heavy marketing post without giving a clear overview of their features. Krypton is one example that claims to offer this functionality through a combination of an app and a browser extension, but as with other possible products it is unclear if it actually works.
Which security key to buy?
There are a bunch of confusing standards: FIDO, WebAuthn, FIDO2 and U2F. Suppliers of security keys are not helping when using these terms interchangeably when promoting their products. So, what standards should your new security key support?
If the authenticator says it supports FIDO2 or WebAuthn, you’re good to go. U2F is an older version, and while there is some backwards-compatibility it is better to avoid authenticators that only mention U2F.
U2F was developed by Google, Yubico and NXP and was later brought into the FIDO Alliance. This alliance developed the FIDO 2.0 proposal, which was submitted to the W3C, who turned it into a W3C recommendation Web Authentication (WebAuthn).
The FIDO alliance also developed the FIDO CTAP 2.0 specification, which together with the WebAuthn API handles being able to authenticate to web applications using something like a physical dongle.
The W3C and the FIDO Alliance work together on the FIDO2 project, which governs the work on both WebAuthn and CTAP.
More security, easier for developers and a better user experience
WebAuthn makes our digital life more secure, makes it easier for developers to secure applications and makes the user experience much better.
For most organisations, there are very good reasons to proceed with wide-scale adoption both from a security perspective and from a cost/benefit perspective.
KeyHub likes WebAuthn because it makes life easier. KeyHub release 17.0 supports WebAuthn.