WebAuthn: A Step Towards Passwordless Authentication

Webauthn

We are all aware of the cyber vulnerabilities and know malicious actors are constantly trying to crack passwords to access essential systems.
Our previous blog, The Passwordless future of work entails how passwordless authentication methods like biometrics, soft-tokens, OTP, etc. make your digital identities Hacking, Phishing, Credential Stuffing, and Password Spraying resistant.
The blog also mentions ‘WebAuthn’- a web standard for passwordless-logins supported by tech-giants like Airbnb, Alibaba, Apple, Google, IBM, Intel, Microsoft, Mozilla, PayPal, SoftBank, Tencent, and Yubico. So, let’s understand WebAuthn a little more and see how you can benefit from this new-age authentication technique.

What is WebAuthn?

In November 2015, the World Wide Consortium (WC3) and FIDO Alliance approved WebAuthn, short for web authentication, as an open security standard for password-free logins on the web. WebAuthn is supported by most browsers, including Firefox, Chrome, Edge, and Safari.

Essentially, it is a web browser-based API allowing the users to authenticate their identities with mobile devices, FIDO security keys, and Trusted Platform Modules. It increases security for the authentication process by eliminating the need for using passwords while making the end-user experience secure and glitch-free.

WebAuthn is designed to support multiple passwordless authentication methods such as finger print, entering a PIN, voice recognition, face recognition, etc. Technically, there’s an ‘Under the cover’, encrypted challenge-response authentication mechanism established between the user and authenticating device.

WebAuthn is easy to implement. For instance, to access the web applications on Mozilla Firefox, you may use a security key or have a supported web browser, operating system and a built-in biometric authenticator on your device for secure authentication.

What’s great about WebAuthn is that, the passwords you use to register yourself with never leaves the device, and never gets stored on the external servers either. Say, if you choose to have your fingerprint as a password, it gets registered as an authentication method and will never get stolen.

Now that the functionality of WebAuthn is clear let’s address a critical question.

What are the benefits of WebAuthn?

WebAuthn makes authentication extremely secure as there isn’t a need to use passwords. Your credentials are protected from most cybercrimes like hacking, phishing, credential stuffing or a password spraying that are redundant without a password to attack. In addition to this WebAuthn has the following benefits:

  •  Higher adoption rate
    As mentioned earlier, today, major tech-giants like Airbnb, Alibaba, Apple, Intel, Microsoft, Mozilla, PayPal, Yubico, etc. support WebAuthn.W3C in a press release said: “This advancement is a major step forward in making the web more secure— and usable—for users around the world.”With the ubiquity of major browsers and platforms that integrate WebAuthn and the availability of phones and mobile devices with built-in authenticators, one doesn’t have to go looking for a browser or system that dedicatedly supports WebAuthn.
  • Offers a choice of Authentication
    The passwordless authentication techniques in WebAuthn includes PIN, fingerprint, security keys, voice recognition, Face ID, etc. WebAuthn also offers single-factor, two-factor, and multi-factor authentication.So, there is a wide range of authentication mechanisms available. For instance, an organization may opt for a layered approach like Multi-Factor Authentication as they want to provide highest level of security to their organization from potential data breaches and hacks. Similarly, an employee may use only a PIN to access certain web applications.
    Therefore, users can opt for an authentication model that best suits their security requirements.
  • Better user experience
    As compared to the traditional method of creating passwords, remembering, updating, and resetting them time and again; simple authentication technique like using a PIN or Face ID gives the user a much better experience.Say, if the user takes 2 minutes to login to a web application, he will take not more than 10 seconds to login to the same app via biometrics or security keys. The latter is less time-consuming and much more secure; this is what gives user great authentication experience.
  •  Reduces operational costs
    According to Yubico study, on average, respondents report having to spend an average of 12.6 minutes each week or 10.9 hours per year entering and resetting passwords. Based on the average headcount in this research of almost 15,000, we estimate the annual cost of productivity and labor loss per company averages $5.2 million annually!With WebAuthn’s passwordless authentication, organizations can save considerable amount of funds allocated for the IT where the IT personnel spends considerable time in creating and resetting users’ passwords. It not only reduces operational costs but, also enhances the organization’s operational efficiency.

Therefore, with the growing popularity of passwordless authentication and major web browsers and services supporting WebAuthn, one might question.

Will password authentication soon be history?

Creating passwords had an objective – to prevent unauthorized access and secure our digital identities from malicious actors. But, as technology advanced, the use of passwords become higher, and so did the incidences of cybercrimes.

However, hackers started intruding organizations’ security and caused them some serious damage.

For instance, In 2013-14, 3 billion Yahoo user accounts were compromised by a hacking group and the breaches knocked an estimated $350 million off Yahoo’s sale price.

In March 2014, Target’s CIO resigned after Credit/debit card information and contact information of up to 110 million people compromised, and the company estimated a data breach of $162 million!

These are just two out of the countless number of data breach incidences that costed a fortune to the companies and there was a dire need to embrace passwordless authentication methods. Brett McDowell says. “Over time, market forces will make the password less and less interesting, less viable, and less effective.”

Which is why, W3C and FIDO Alliance ratified WebAuthn as a standard for passwordless login, and the ultimate objective was to kill passwords and make sure that hackers never make their way to your digital identities. So, ‘will password authentication soon be history?’ well, this certainly seems highly likely!

Leave a comment

You must be logged in to post a comment.