WebAuthn: it's time to forget your passwords

By Jelle Biesemans

4 min read

Dive into the browser standard of securing login and authentication using the WebAuthn browser API

WebAuthn: it's time to forget your passwords
Authors

WebAuthn: it's time to forget your passwords

Imagine a world where the hassle of remembering and resetting passwords is a thing of the past. In this article, we'll dive into WebAuthn, a web standard that eliminates passwords, replacing them with a more secure and convenient login experience.

With WebAuthn, accessing your favorite websites becomes effortless, allowing you to focus on what truly matters. Step into a future where authentication is seamless and secure, liberating you from the burden of passwords.

What is WebAuthn

Since March 2019, the W3C announced that WebAuthn is the official web standard for password-free login.

It is a browser-based API that allows web applications to simplify and secure user authentication. This is done by using registered devices (such as phones and laptops) or biometrics (such as fingerprints) as factors. WebAuthn uses public key cryptography to protect users from advanced phishing attacks.

Why do the current methods fail us?

Usernames and passwords

We're all familiar with the original way of authentication: using usernames and passwords. Although this system is easy to understand for the common users, it certainly has its flaws.

Credentials are easily forgotten, people would write down their password somewhere if they didn't use a password manager, ...

It was found that this way of authentication was not the safest way and the need for a more secure authentication system rose.

2FA

An extra authentication step was introduced with two-factor authentication (2FA). This extra step makes it harder for people with malicious intent to steal your password data and take over your accounts.

However, popular, low-assurance second factors like SMS and email are vulnerable to phishing attacks.

Benefits of using WebAuthn

Now, some benefits will be addressed. These will be split up by customers (web application users), product owners, and security teams (web application owners).

Let's see how WebAuthn provides both parties with its benefits.

Web-application users

  1. WebAuthn completely removes the need for passwords. For users, this means not having to remember their login credentials, or requesting an OTP (one-time password) when using that as a second factor. The authentication flow is simplified to just use the registered device.

  2. Customers are giving you their information. They want to know their data is safe when they share it. WebAuthn subverts associated with passwords and therefore is a much more secure authentication method.

Web-application owners

  1. Product owners care about the use of their applications, and removing customer-facing barriers, such as complex authentication, is one of their highest priorities. WebAuthn contributes to a better login experience.

  2. Security teams need to be less involved. Since the private key never leaves the user's device, the risk of spoofing authentication is lower. The only way to get access to an account is by physically stealing the registered device.

How does it work?

So when WebAuthn removes the need for actual passwords, how does it go about authenticating the user? How does it do the things it is doing?

WebAuthn has three main components that make all the magic happen:

  • the authenticator
  • the browser
  • and the web server

Authentication process

Using those three components, the authentication process can be explained as follows:

  1. The user goes to the browser to initiate the login
  2. The web server receives this login request, then creates a unique challenge and sends it to the authenticator
  3. The authenticator receives this challenge, including the domain name for the challenge
  4. The Authenticator receives biometric consent/passkey from the user
  5. The Authenticator generates a cryptographic signature (public-private keypair) which is sent back to the web server
  6. The web server verifies the signature to the unique challenge and logs the user in when verified
authentication process

More information about the technical specs can be found here

Drawbacks

I can already hear you think: "WebAuthn, okay, all nice. But what if I lose my device on which my private key is stored?"
The answer is simple: you will be locked out of your account, with no way to recover it.

That is why it is important to have some fallbacks. Here are some ways that might just prevent you from getting locked out of your account:

  • register multiple devices
  • use a password manager like 1Password to store your private key (this can also be used with multiple devices)

Browser support?

WebAuthn is supported in all major browsers, except for

  • Firefox: partial support because TouchID is not yet being supported.

Some smaller browsers

  • Firefox for Android: not supported when a PIN is set
  • Opera mini: no support at all
  • IE: no support at all, but it's IE after all ๐Ÿ™ˆ

What does the future bring?

Authentication is shifting more and more towards passwordless. Accounts will be more secure and the risk of account takeovers and limited user experience will be problems of the past.

That's why it is time to forget about your passwords and start using passwordless logins!

authentication timeline

Useful links

Upcoming events

  • Coven of Wisdom - Herentals - Winter `24 edition

    Worstelen jij en je team met automated testing en performance? Kom naar onze meetup waar ervaren sprekers hun inzichten en ervaringen delen over het bouwen van robuuste en efficiรซnte applicaties. Schrijf je in voor een avond vol kennis, heerlijk eten en een mix van creativiteit en technologie! ๐Ÿš€ 18:00 โ€“ ๐Ÿšช Deuren open 18:15 โ€“ ๐Ÿ• Food & drinks 19:00 โ€“ ๐Ÿ“ข Talk 1 20:00 โ€“ ๐Ÿน Kleine pauze 20:15 โ€“ ๐Ÿ“ข Talk 2 21:00 โ€“ ๐Ÿ™‹โ€โ™€๏ธ Drinks 22:00 โ€“ ๐Ÿป Tot de volgende keer? Tijdens deze meetup gaan we dieper in op automated testing en performance. Onze sprekers delen heel wat praktische inzichten en ervaringen. Ze vertellen je hoe je effectieve geautomatiseerde tests kunt schrijven en onderhouden, en hoe je de prestaties van je applicatie kunt optimaliseren. Houd onze updates in de gaten voor meer informatie over de sprekers en hun specifieke onderwerpen. Over iO Wij zijn iO: een groeiend team van experts die end-to-end-diensten aanbieden voor communicatie en digitale transformatie. We denken groot en werken lokaal. Aan strategie, creatie, content, marketing en technologie. In nauwe samenwerking met onze klanten om hun merken te versterken, hun digitale systemen te verbeteren en hun toekomstbestendige groei veilig te stellen. We helpen klanten niet alleen hun zakelijke doelen te bereiken. Samen verkennen en benutten we de eindeloze mogelijkheden die markten in constante verandering bieden. De springplank voor die visie is talent. Onze campus is onze broedplaats voor innovatie, die een omgeving creรซert die talent de ruimte en stimulans geeft die het nodig heeft om te ontkiemen, te ontwikkelen en te floreren. Want werken aan de infinite opportunities van morgen, dat doen we vandaag.

    | Coven of Wisdom Herentals

    Go to page for Coven of Wisdom - Herentals - Winter `24 edition

  • Mastering Event-Driven Design

    PLEASE RSVP SO THAT WE KNOW HOW MUCH FOOD WE WILL NEED Are you and your team struggling with event-driven microservices? Join us for a meetup with Mehmet Akif Tรผtรผncรผ, a senior software engineer, who has given multiple great talks so far and Allard Buijze founder of CTO and founder of AxonIQ, who built the fundaments of the Axon Framework. RSVP for an evening of learning, delicious food, and the fusion of creativity and tech! ๐Ÿš€ 18:00 โ€“ ๐Ÿšช Doors open to the public 18:15 โ€“ ๐Ÿ• Letโ€™s eat 19:00 โ€“ ๐Ÿ“ข Getting Your Axe On Event Sourcing with Axon Framework 20:00 โ€“ ๐Ÿน Small break 20:15 โ€“ ๐Ÿ“ข Event-Driven Microservices - Beyond the Fairy Tale 21:00 โ€“ ๐Ÿ™‹โ€โ™€๏ธ drinks 22:00 โ€“ ๐Ÿป See you next time? Details: Getting Your Axe On - Event Sourcing with Axon Framework In this presentation, we will explore the basics of event-driven architecture using Axon Framework. We'll start by explaining key concepts such as Event Sourcing and Command Query Responsibility Segregation (CQRS), and how they can improve the scalability and maintainability of modern applications. You will learn what Axon Framework is, how it simplifies implementing these patterns, and see hands-on examples of setting up a project with Axon Framework and Spring Boot. Whether you are new to these concepts or looking to understand them more, this session will provide practical insights and tools to help you build resilient and efficient applications. Event-Driven Microservices - Beyond the Fairy Tale Our applications need to be faster, better, bigger, smarter, and more enjoyable to meet our demanding end-users needs. In recent years, the way we build, run, and operate our software has changed significantly. We use scalable platforms to deploy and manage our applications. Instead of big monolithic deployment applications, we now deploy small, functionally consistent components as microservices. Problem. Solved. Right? Unfortunately, for most of us, microservices, and especially their event-driven variants, do not deliver on the beautiful, fairy-tale-like promises that surround them.In this session, Allard will share a different take on microservices. We will see that not much has changed in how we build software, which is why so many โ€œmicroservices projectsโ€ fail nowadays. What lessons can we learn from concepts like DDD, CQRS, and Event Sourcing to help manage the complexity of our systems? He will also show how message-driven communication allows us to focus on finding the boundaries of functionally cohesive components, which we can evolve into microservices should the need arise.

    | Coven of Wisdom - Utrecht

    Go to page for Mastering Event-Driven Design

  • The Leadership Meetup

    PLEASE RSVP SO THAT WE KNOW HOW MUCH FOOD WE WILL NEED What distinguishes a software developer from a software team lead? As a team leader, you are responsible for people, their performance, and motivation. Your output is the output of your team. Whether you are a front-end or back-end developer, or any other discipline that wants to grow into the role of a tech lead, RSVP for an evening of learning, delicious food, and the fusion of leadership and tech! ๐Ÿš€ 18:00 โ€“ ๐Ÿšช Doors open to the public 18:15 โ€“ ๐Ÿ• Letโ€™s eat 19:00 โ€“ ๐Ÿ“ข First round of Talks 19:45 โ€“ ๐Ÿน Small break 20:00 โ€“ ๐Ÿ“ข Second round of Talks 20:45 โ€“ ๐Ÿ™‹โ€โ™€๏ธ drinks 21:00 โ€“ ๐Ÿป See you next time? First Round of Talks: Pixel Perfect and Perfectly Insane: About That Time My Brain Just Switched Off Remy Parzinski, Design System Lead at Logius Learn from Remy how you can care for yourself because we all need to. Second Round of Talks: Becoming a LeadDev at your client; How to Fail at Large (or How to Do Slightly Better) Arno Koehler Engineering Manager @ iO What are the things that will help you become a lead engineer? Building Team Culture (Tales of trust and positivity) Michel Blankenstein Engineering Manager @ iO & Head of Technology @ Zorggenoot How do you create a culture at your company or team? RSVP now to secure your spot, and let's explore the fascinating world of design systems together!

    | Coven of Wisdom - Amsterdam

    Go to page for The Leadership Meetup

Share

Jobs

Lead Front-end Developer

Rotterdam, Zuid-Holland, Nederland

Senior Web Developer

Sofia, Sofia, Bulgarije

React Developer

Sofia, Sofia, Bulgarije

.Net Developer

Sofia, Sofia, Bulgarije

View all jobs