The Key to Data Security: WebAuthn

What is WebAuthn?

WebAuthn (Web Authentication API) is a global standard specification for secure authentication on the Web, formulated in 2018 by the World Wide Web Consortium (W3C).

This browser-based API allows user authentication on web applications through the creation of strong “credentials” and user-agent-mediated access to authenticators. This could be either in the form of hardware tokens (like U2F security keys) or in-built modules (biometric readers like Google Hello, Apple Touch ID) in the platform. Web Authn has garnered the support of all leading browsers like Chrome, Firefox, and Edge, and is compatible with all leading platforms.

How does WebAuthn Work?

With WebAuthn, a relying party (such as web service) can integrate a strong layer of authentication into applications with a choice of authenticators. It replaces the need for a password with the generation of a private-public key pair (credential) created for a website. While the private key is stored on the user’s device, the public key is generated randomly and shared with the server. The server then uses the public key to confirm the user’s identity.

The following steps are involved in WebAuthn:

  1. The user opens a website using their device
  2. On the request of the web service (replying party) through the Credential Manager API, the browser generates a new credential, specifying the user’s device capabilities.
  3. During the registration process, the user is offered multiple authentication options. This may vary from external authenticators to biometric authenticators like fingerprint analysis or facial recognition.
  4. Choosing any of the authenticators offered, the user completes the registration process.
  5. The authenticator generates a key pair (a public and a private key) – the public key is forwarded to the server, the private key is stored in the user’s device

Why use WebAuthn?

The public key and private key, both need to be used in conjunction. Therefore, by eliminating the need for a “secret” such as a password, WebAuthn drastically improves data security and prevents data breaches. Even if the public key is hacked, it will not function without the private key – which is stored in the user’s device – and becomes useless.

These are some of the scenarios in which WebAuthn can be useful:

  • Setting up two-factor authentication (with or without passwords) that is resistant to friction and phishing
  • Using biometric authorization that eliminates the need for passwords
  • Recovering lost or stolen devices and bootstrapping of new devices 

Find out how you can improve data security and prevent data breaches with Akku. Get in touch with us for a free demo today!

Published by

Madhav Sattanathan

Madhav Sattanathan stepped into the technology realm at a very young age and, having nurtured this passion for technology consistently and persistently, has emerged as a technology leader equipped with the skills and knowledge to provide the right solutions for business growth. A Finance degree from Purdue University and a wealth of experience across various industries have trained him to solve real-world business problems with practiced knowledge and intuitive vision. Madhav, with his penchant for innovation, resolved to combine his technology and business know-how to deliver high-quality products and services at low costs. Akku was his brainchild at a time when the cloud was quickly gaining ground, and control over cloud environments was an increasingly felt need. Akku has evolved considerably under Madhav's watch to become the enterprise-grade identity and access management platform it is today, with the genuine ability to go toe-to-toe with the biggest global names in the industry.