Web Authentication: How Is Web API Basic Authentication Used?
Web authentication (also called WebAuthn or FIDO2.0) is an authentication standard that could make passwords obsolete. Instead of using letters and numbers to prove identity, users will offer a biometric key (like a fingerprint) or hardware (like a key from Yubikey).
For years, we've used passwords to gain access to websites and servers. When we want to log on, we tap out a username, and we add on a string of letters and numbers to prove that we are who we claim to be.
But the average office employee must remember up to 40 unique username/password combinations. That high demand leads to poor habits, such as repetition, that can torpedo your security efforts.
A Short History of WebAuthn
Passwords are catnip to hackers. With a bit of coding cleverness and luck, a hacker can either guess combinations or entice someone to disclose them. Verizon has said that more than 80 per cent of hacking-related breaches are caused by compromised credentials. Something had to change.
Webmasters tried two-factor authentication methods. That involved:
- Registrations. A device like a phone was attached to the user's profile.
- Logins. A user entered a name and password.
- Requests. The server sent a request to the authorised device.
- Completion. The user followed the instructions on the device to enter the site.
If you've ever tried to log in and had to wait for a code to ping your phone, you've used two-factor authorisation. It seems efficient, but implementation was sporadic. Some websites wanted to put their own spin on the process, which frustrated users. And some came with poor experiences that people just didn't understand.
The World Wide Web Consortium (W3C) wanted something new and better to improve the user experience while protecting security. In 2019, the group released the Web Authentication API to do just that.
Since its release, WebAuthn has been widely accepted. Groups such as Fast Identity Online (FIDO) hopped on board, and that meant well-known companies like Amazon, Facebook, and Microsoft started experimenting with the technology too.
How Web Authentication Works
WebAuthn is an application programming interface, or API, that allows servers to register and recognise their users without the need for passwords. Many websites have forms that allow people to sign up and become members with unique usernames and passwords. WebAuthn will replace all of that.
Two main pieces are involved, which are:
- Registration. You must provide a username and some kind of credential. You'll give biometric data, like a photo of your face or an impression of your fingerprint, or you'll register a piece of hardware created by a third-party that you keep in your possession at all times.
- Authorisation. When your credentials are made and verified, they're stored in something called an authenticator that typically resides within your operating system.
To log into a website enabled with WebAuthn, a user must:
- Register. You'll follow a familiar process of choosing a unique username. But instead of choosing a password, you'll give biometric data or register a physical key.
- Repeat. Whenever you want to log into the site, you must offer your password and a verification of your registration details.
Complete this process, and you'll have something called a credential. It's a pair of keys (one public and one private) for the website. Your private key stays on your private device and nowhere else. Your public key sits on the server for storage.
You may not know what these keys look like or how they work. But they play a vital role in each login attempt.
When you're ready to log into the site once more, your device and the server move through a series of steps.
- Attempt: You enter your username or otherwise indicate that you'd like to gain access to the server. Your system sends along your credentials, including instructions about where your key is located.
- Contact: The browser connects with the authenticator to determine if you have all the right bits and should be allowed in.
- Approval: If you do have all the right pieces, the authenticator signs your login approval and sends it along.
- Server contact: The server looks over all of the information that is sent along, verifies it, and lets you in.
The use of public and private keys make WebAuthn incredibly secure. You don't need to remember anything at all, but you've created a unique username/password for the site. In essence, you're following password best practices without even trying.
How WebAuthn Is Implemented
Widespread adoption was the goal of the W3C team. They wanted as many websites as possible to use this technology to protect the web. As a result, they made the code with simplicity and ease in mind.
WebAuthn is an extension of the Credential Management API. It handles two main functions.
- Navigator.credentials.create is used to register a new account or pair new keys with an existing account.
- Navigator.credentials.get is used to log in a user with existing credentials.
Google points out that integration techniques vary widely from website to website. If you're running a single-page app you'll have different work to do than someone with a complex site filled with popups. But Google offers plenty of support and advice to developers hoping to understand the code and apply it properly.
You'll also need to educate your users about the change. For example, if you'd like to use WebAuthn with hardware keys only (not biometrics), you might need your users to understand that well in advance so they can purchase the items they need long before the changes go live.
Do You Need Website Authentication?
Changing legacy login systems can be nerve-wracking, both for you and for your users. But new technology comes with plenty of benefits that you just can't ignore.
Incorporate WebAuthn into your website, and you could get:
- Protection. Someone with stolen passwords can't get in, as authentication varies from site to site.
- Compliance. Web managers know that reusing passwords is serious, but 45 per cent of people don't agree. Move to this new technology, and you won't have to persuade people to follow your rules. They must do so to gain access.
- Reduced risk. Hackers like to dig deep into your database to gain passwords and usernames. Since they can't reuse that data anymore, they may move on to a new target.
- Better customer experiences. About a third of customers abandon shopping carts because they can't remember their usernames/passwords. Plenty of app users do the same. In a WebAuthn world, people don't need exceptional memories to get where they need to go.
We know even thinking about this new technology can be stressful, but the benefits are clear. Let us help.
Discover how effortless and secure web authentication is with Okta’s identity management services. Contact us, and let's get started.
References
Here's Why Google, Apple, and Microsoft Think It's Time to Kill the Password. (January 2020). CNBC.
Enabling Strong Authentication with WebAuthn. (May 2018). Google.
Verizon DBIR 2020: Credential Theft, Phishing, Cloud Attacks (June 2020). Security Boulevard.
A Look at Password Security, Part IV: WebAuthn. (August 2020). Mozilla.
W3C Finalises Web Authentication Standard. (March 2019). ZDNet.
Apple Joins Industry Effort to Eliminate Passwords. (February 2020). Computerworld.
Web Authentication: An API for Accessing Public Key Credentials. (March 2019). W3C.
Streamlining the Sign-In Flow Using Credential Management API. (April 2016). Google.
WebAuthn: What You Need to Know About the Future of the Passwordless Web. (March 2019). PCWorld.
Your Employees Are Reusing Passwords. Find Out How Many. (June 2020). Info Security.
When Customers Forget Their Passwords, Business Suffers. (June 2017). Phys.org.