A Password Free World (Web Authentication - WebAuthn)

Readers who are also active users of the internet would be well aware of the fact that passwords are all pervasive on the internet, particularly when one has to avail any service. Thus, a password needs to be closely guarded.There are multiple ways to divest you of your password. Fake websites can coax you to type in your passwords that can then be used to impersonate you on the internet or also steal money from your bank account -- a problem called phishing. Even if one follows all the guidelines to pick hard-to-guess passwords, never reuse them on multiple sites and always remember them, passwords in the present day are not considered a reliable pillar of security.

For about two years now, cyber security researchers and professionals across the world have been trying out a different (not new) way of providing one’s identity on the net, without having to use passwords. Accordingly a new standard has come into being – Web Authentication (WebAuthn). This standard has been announced by the World Wide Web Consortium (W3C) and the Fast Identity Online (FIDO) Alliance, andon 10 Apr 2018 the standard had reached the Candidate Recommendation stage, the penultimate stage in the Web Standards process.WebAuthn is a piece of code (Web API) that will be written into all browsers. This will allow the user of the browser to initially register and thereafter authenticate with any web application using an authenticator such as a mobile phone device (in such cases biometric verification such as face, fingerprint or iris can be provided), hardware security keys or Trusted Platform Module (TPM) devices, using Bluetooth, USB or NFC. Effectively registration and authentication can be done without the use of passwords.WebAuthn is a core component of the FIDO2 Project along with FIDO’s Client to Authenticator Protocol (CTAP) specification. It is this security protocol which allows the external authenticator, such as a security key or a mobile phone, to communicate strong authentication credentials locally over USB, Bluetooth or NFC to the user’s internet access device (PC or mobile phone).

Currently all web browsers have a feature which allowsa user to save his password in the browser, this enables quick login to their online accounts. Though this arrangement is super convenient, there is always a risk of the saved passwords getting into the hands of a hacker, in case of phishing or Man In The Middle (MITM) attacks. Once WebAuthn gains traction amongst leading browsers and website developers, users won’t have to save passwords on the browser anymore. Instead they can save their fingerprint, face or iris scans and use them to log into their accounts.

Implementation ofWebAuthn in both browsers and sites will ensure that, a user can sign in using both integrated biometric hardware (such as the fingerprint and facial-recognition systems) and external authentication systems such as the popular YubiKey USB hardware (costing approximately Rs 3700/-). With WebAuthn, no user credentials ever leave the browser and no passwords are used, providing strong protection against phishing, man-in-the-middle attacks, and replay attacks.

The FIDO authentication is much stronger than relying only on passwords and related forms of authentication, because user credentials and biometric templates never leave the user’s device and are never stored on servers.

Microsoft, Google, and Mozilla have all committed to supporting WebAuthn. Firefox 60 is already out and Chrome 67 with this feature released on 29 May 2018. Thus, now both have WebAuthn enabled by default.

This standard builds on a previous FIDO specification called Universal Authentication Factor (UAF). UAF was not much of a success, since it was not adopted by the major browsers. Also the specification was not very clear on how it should work with mobile browsers. However, all that has now changed. As it has already been stated, WebAuthn has strong backing from the major browser vendors and is also designed to be more versatile. It will be able to handle a wider range of authentication factors, such as biometrics, hardware authenticators, PINs or even more basic checks.Dropbox announced support for WebAuthn logins (as a 2nd factor) on May 8, 2018.WebAuthn is also available to developers so they can incorporate the new login options on their websites.

As we have all seen over the last few years that there have been ever increasing number of data thefts and password credential theft. However, we are at a stage where all this can now change. Service and application providers can once and for all end their dependency on vulnerable passwords and lead us into an era which is password free and a world where password credential theft does not happen.