WebAuthn – The next nail in the coffin for usernames and passwords

It's a lingering death, but at some point the last username/password combination will be entered. This is a good thing, because one data breach after another shows that neither the private sector nor public institutions can adequately protect personal data. The EU GDPR will perhaps alleviate the problem somewhat, but will not solve it fundamentally. The secure alternative to usernames and password is multi-factor or two-factor authentication (MFA/2FA). Having to know something and having to possess something to authenticate with makes stolen passwords worthless. So far so good, but all theories have their gray areas. Even though many web services such as Facebook already offer 2FA, it is still hardly used. There are many objections ranging from it's a bit too much effort to open an app to remote IT users find it too complicated. True acceptance can only be achieved through seamless integration into all important services used by users.

The upcoming WebAuthn standard has great potential to introduce 2FA to a broad audience. WebAuthn uses a hardware token based on the U2F standard. Universal Second Factor is an industry standard for general two-factor authentication. Yubikey is one of the most important manufacturers of U2F tokens and also one of the members involved in developing the standard. The non-profit FIDO alliance which has more than 30 members is responsible for developing U2F. The U2F standard has been around since 2014 but hopes for wide-spread implementation have been raised by Mozilla's announcement that Firefox 60 has built-in authentication via WebAuthn. Although WebAuthn supports other features such as biometrics, WebAuthn and U2F are an ideal combination that can finally free users from entering passwords for popular web services. Although the World Wide Web Consortium (W3C) still has to validate WebAuthn as a web standard numerous other manufacturers such as Microsoft (Windows 10, Edge) and Google (Chrome) have already signaled their support in addition to Mozilla. Apple is also likely developing an implementation for the Safari browser, as a bug report by an apple developer suggests.

WebAuthn defines a web API which can be integrated into browsers and connected web platforms. This is based on a public-key authentication procedure. For each service, an identification record is created whose public key shares are transferred to the service. The private key usually never leaves the U2F token, even if this is possible. Because WebAuthn works according to the challenge-response procedure, the web service prompts the user to initiate a login via a button on the token. The login process will not work without the user taking action. This allows the token to remain in the computer – it is cryptographically protected against attacks and requires the user to press a key. Because the password does not normally leave the end device, it cannot be leaked by the service provider. There are also no concerns regarding data protection – WebAuthn is not single sign-on, even though it can secure many services. But each web service has its own key pair and the default is such that servers cannot get information about other key pairs on the U2F token. Because the user accounts are still managed individually without a central register, anonymity is also guaranteed, at least during login. Which identifiable data the user then shares with the service provider is another matter.

What sounds complex at first is intuitive and simple in practice, especially if you use a browser that already has WebAuthn built in. The security level is significantly higher than with a username/password combination and also beats one-time PINs via SMS or app in terms of convenience. The only drawback could be the price for a U2F-enabled token, which is currently between 10 and 50 euros. In view of the significantly increased security level, the investment should not really be much of an issue. Maybe service providers will also recognize the potential of WebAuthn/U2F and cover the costs of tokens with company branding in their usage fees.