Say Goodbye to Passwords and Hello to WebAuthn

Identifying ourself to access social media, banking details, and every aspect of our online life is something we do potentially dozens of times a day.

But as the nearly ten billion leaked account details documented by “‘;–have i been pwned?” attest, this process has a fatal weakness–passwords.

The Web Authentication API (or WebAuthn) is a standard from the W3C and FIDO that “allows servers to register and authenticate users using public key cryptography instead of a password”. WebAuthn is part of a set of standards that enable passwordless authentication between servers, browsers, and authenticators. It’s supported in all modern browsers.

In this presentation Ben Dechrai will outline how the technologies work, and how you can take advantage of them today to create a far more secure experience for your users.

Say Goodbye to Passwords and Hello to WebAuthn

Ben Dechrai, Developer Advocate Auth0

Ben’s been a software engineer for 20 years; and in that time he’s gone from trying to control everything, to understanding that it’s often better to outsource some parts so you can focus on the area that lets you provide difference and value. User credentials and authentication are a good candidate to outsource as they are tricky and risky.

There are three main things we want credentials to have:

1) Easy to remember and hard to guess – too hard to remember and we won’t use it; too easy to guess and it’s not safe
2) Easy to change – so if there’s a breach, people can change their password quickly
3) Hard to intercept – resistant to attack

So how do different auth types fare against these credential types?

Passwords – (1) low (2) high (3) medium
It’s hard to remember a secure password, but they are easy to change and reasonably hard to intercept. But once breached they are easy to share (haveibeenpwned?).

SMS or email tokens – (1) high (2) reasonably high (3) medium
There are vulnerabilities that make SMSes relatively easy to intercept; email is not particularly secure either.

Biometrics (voice, fingerprint, etc) – (1) high (2) very low (3) medium-high.
There are lots of quite interesting proof-of-concept attacks around biometrics, so they are not unbreakable.

Combined, these things make up multifactor authentication (MFA). It’s useful to think of things you know (password), things you have (a device receiving a token) and things you are (biometrics).

Other than actual passwords, most are ‘passwordless’ – a push notification or your voice can be used without entering a password.

Something that we can now use with webauthn is a FIDO security key. So let’s see how they fit into the scale:

FIDO Security Key: (1) high (2) medium-high (3) high

They’re easy to use, mathematically improbable to guess, registering a new one is reasonably easy, and they are very hard to intercept.

These can also help protect against phishing attacks, but first let’s remind ourselves how those attacks play out. Phishing attacks rely on fooling you into entering real details into a fake UI; and they will often present a fake success screen to help cover up what’s happening.

When these fake interfaces are done well enough, you can also be tricked into entering multifactor authentication.

So what can WebAuthn do to help? Phishing fundamentally relies on fake login screens to capture details for use on the real site, so the WebAuthn registration and login flows block that vector by creating a detectable mismatch.

Instead of creating a password directly in the web UI, it uses challenges and APIs to create keys that are specific to the actual domain – so they are no good for logging into the real one. Instead of relying on human brains to notice a tricky URL, computers simply detect that they don’t match.

(Demo of webauthn – walking through the process described earlier, using the laptop’s fingerprint reader for verification.)

WebAuthn can be passwordless, but it can also be _username_less. The authenticator can remember keys for you, so all you do is specify which key you want to provide.

(Demo of this process, with good ol’ Alice and Bob.)

As with all new tech, it will take a little while to get used to the new authentication patterns available with WebAuthn. Hopefully this demo has given you the interest to give it a try!