The Web Authentication API (WebAuthn API) is a credential management application program interface (API) that lets web applications authenticate users without storing their passwords on servers. WebAuthn API enables servers to integrate with the strong authenticators that are built into devices, such as Apple’s Touch ID and Windows Hello. WebAuthn API is an official web standard written by the W3C and the FIDO Alliance (Fast IDentity Online) along with Tier 1 vendors such as Microsoft, Mozilla and Google.
WebAuthn API uses a private-public keypair as a credential, rather than a password. The private key is securely stored on the user’s device, and a public key is a randomly generated credential ID that is sent to the server for storage. The server then uses that public key to prove the identity of the user. The public key isn’t secret because it’s useless without the corresponding private key.
How WebAuthn API works
When a user logs into a website that supports WebAuthn, the application offers several options for authentication using the native support within all leading browsers and platforms.
The user can register to the web service using a range of authenticators, including an authenticator that is built into the platform, such as biometrics (iris scan, facial recognition, fingerprint) or an external authenticator, such as a security key.
After registering, the user is authenticated to the service on the device. Once the user has registered to the service, they can elect to sign out and sign in again with whichever authenticator they prefer.
WebAuthn API is unique because it can’t be used to identify users between different websites. The generated credentials are tied to the domains of the websites that produced them, providing users an additional layer of privacy.
Importance of WebAuthn API
WebAuthn API resolves significant security problems related to data breaches, phishing as well as attacks against SMS texts or other two-factor authentication methods. It also significantly increases ease of use because users don’t have to manage dozens of passwords that are becoming increasingly complicated.
Previously, users were required to provide shared secrets, i.e., their passwords, when they logged into accounts, which are then stored on servers that may or may not be secure. Threat actors could gain access to user accounts if their passwords were stored in plain text, the servers weren’t properly secured or users’ passwords were easy enough to guess or social engineer.
WebAuthn API eliminates the need for servers to store passwords. Rather, the servers register WebAuthn credentials using private-public keypairs, which also includes identifiers for each user.
Additionally, since users won’t have to remember their passwords or type them in, they can log in and start consuming the content of websites more quickly. That could result in more views/engagement for social media sites and more sales for e-commerce sites.
History of WebAuthn API
In December 2014, the FIDO Alliance, an open industry association that aims to increase web security and decrease the burden of dealing with passwords, began working on Universal Authentication Factor (UAF) to handle user authentication in a more modern, secure way.
However, the UAF specification wasn’t widely adopted, in part, because the necessary functionality wasn’t added to major browsers, so the developers who wanted to implement it had to work around that lack of native support. In addition, there wasn’t a lot of reference material as to how to implement the steps to make UAF work properly on iOS and Android devices.
In November 2015, the FIDO Alliance began work on a new version, FIDO2. The alliance teamed up with the W3C from 2016 through 2018 to establish a series of APIs. FIDO2 garnered support from major browser developers Microsoft, Mozilla and Google.
The goal of FIDO2 and the WebAuthn API was to provide more options and flexibility for user authentication, offer a smoother, more straightforward user experience; make it easier for developers to implement their applications as well as ensure better security. The FIDO Alliance and the WC3 are looking to create web experiences for users that don’t rely on multi-character passwords.