WebAuthn: Toward the End of Passwords On the Web

4/17/2019

Frequent readers of this blog will know that I am constantly looking for alternatives to passwords. Some reasons are: they can be shared so a system cannot tell who the real user is, they can be forgotten, when stored improperly they can be leaked.

Passwords fall into the single-factor category of "something you know" (the other two are "something you have" and "something you are" such as your fingerprint). Organizations wanting higher security generally combine two of these factors. Until recently, that has been difficult or impractical for websites.

Enter "WebAuthn"

WebAuthn (short for Web Authentication) is a recently approved method to allow a user to authenticate to a website using physical devices or biometrics with the browser. That means the Yubico key (among others) can now be used to authenticate a user to a website.

WebAuthn is supported by current versions of most browsers and Windows 10, Android, and Chrome. I have used it with Firefox running on Windows 8 as well. The beauty of this is that all the work has been done for you, and it does not require setup.

There is a demo for WebAuthn at https://webauthn.org. Here is what I did to test it on my Windows 10 desktop with Firefox:

I inserted my Yubico key into a USB slot.
Connected to https://webauthn.org
Entered the username of John to create a new account and clicked the Register button.
A fingerprint icon appeared in the address bar with a message. I clicked on Proceed
The token flashed a blue light as described in a message and I touched the gold "button" as directed. The site told me "Registration Complete" and that I was "now registered".
Then to test it I clicked on the Login tab on the site. And provided my username and clicked Login.
A window told me the light should be flashing on the token and that I should press it.
I did so and received a "Success" login message.

The process took far longer to type in here than it did to actually register and log in. Because of the way Windows works, I could not capture the message window. But, the webauthn.org site does show a log of what happened. It is long and probably not meaningful for most readers, but if you do this yourself, it is accessed via a small "Advanced" link below the "Register" and "Login" buttons. For programmers, there is also a link to the source code for the site.

With the site part of the code freely available to developers, I hope more sites will choose to use WebAuthen to authenticate users. A bit of a warning, though: tokens can get lost. If you use one, keep it safe. WebAuthn should also work with fingerprints. Sadly, I cannot easily test it as my ancient phone doesn't have a fingerprint reader.

I believe WebAuthn will go a long way toward helping the web get rid of the insecure password system.

Written by John McDermott

John McDermott, CPTD, started his work in computer security in 1981 when he caught an intruder in a system he was managing. In recent years his consulting has included security consulting for small businesses. He is Security+ and CCP certified. In his 30 years with Learning Tree John has written and taught courses in programming, networking and computer security. He is the co-author of Learning Tree’s course System and Network Security: A Comprehensive Introduction. John is currently a learning and development consultant in northern New Mexico. He lives in a house made of earth with his wife, who is an artist.