Categories: Workforce Identity & Access Management (IAM)

The Key to Data Security: WebAuthn

What is WebAuthn?

WebAuthn (Web Authentication API) is a global standard specification for secure authentication on the Web, formulated in 2018 by the World Wide Web Consortium (W3C).

This browser-based API allows user authentication on web applications through the creation of strong “credentials” and user-agent-mediated access to authenticators. This could be either in the form of hardware tokens (like U2F security keys) or in-built modules (biometric readers like Google Hello, Apple Touch ID) in the platform. Web Authn has garnered the support of all leading browsers like Chrome, Firefox, and Edge, and is compatible with all leading platforms.

How does WebAuthn Work?

With WebAuthn, a relying party (such as web service) can integrate a strong layer of authentication into applications with a choice of authenticators. It replaces the need for a password with the generation of a private-public key pair (credential) created for a website. While the private key is stored on the user’s device, the public key is generated randomly and shared with the server. The server then uses the public key to confirm the user’s identity.

The following steps are involved in WebAuthn:

The user opens a website using their device
On the request of the web service (replying party) through the Credential Manager API, the browser generates a new credential, specifying the user’s device capabilities.
During the registration process, the user is offered multiple authentication options. This may vary from external authenticators to biometric authenticators like fingerprint analysis or facial recognition.
Choosing any of the authenticators offered, the user completes the registration process.
The authenticator generates a key pair (a public and a private key) – the public key is forwarded to the server, the private key is stored in the user’s device

Why use WebAuthn?

The public key and private key, both need to be used in conjunction. Therefore, by eliminating the need for a “secret” such as a password, WebAuthn drastically improves data security and prevents data breaches. Even if the public key is hacked, it will not function without the private key – which is stored in the user’s device – and becomes useless.

These are some of the scenarios in which WebAuthn can be useful:

Setting up two-factor authentication (with or without passwords) that is resistant to friction and phishing
Using biometric authorization that eliminates the need for passwords
Recovering lost or stolen devices and bootstrapping of new devices

Find out how you can improve data security and prevent data breaches with Akku. Get in touch with us for a free demo today!

Madhav Sattanathan

Madhav Sattanathan is the Founder and CEO of Akku. A technologist at heart with a strong foundation in finance, he identified the growing need for enterprises to retain control over rapidly expanding cloud environments. This vision led to the creation of Akku, which today stands as a robust IAM platform enabling organizations to secure access, ensure compliance, and drive digital transformation. At CloudNow, where Madhav is Founder and CEO as well, he has built a company recognized for solving real-world business challenges with innovative cloud solutions. His entrepreneurial journey also spans leadership in real estate ventures and operational roles in technology and financial services across the U.S. and India. His career path - from finance and operations in American mortgage firms to spearheading cutting-edge cloud technology in India - reflects his versatility, foresight, and passion for building businesses that deliver tangible results.