W3C declares Web Standard for WebAuthn API, We are at the verge of Password-Free Surfing
It is said, that the greatest advantages always come with the largest threats too. This is what is happening in our modern era of the digital world. Today’s life can’t be ideated without internet. But, the security threats are also advancing everyday at a high rate. And phishing remains always at the top-rank between all of them.
81% of account breaching crawls out in success using default, stolen or weak passwords, and they are still growing. Besides, they are so much time-consuming that a Yubico Study has discovered recently that the time-wastage is around 10.9 hours/year only on resetting passwords, the industry cost of which is $5.2 million per annum. Still, they are unable to eradicate their vulnerability.
According to Statista, 15.7% of worldwide phishing attacks targeted financial institutions throughout the third quarter of 2018. Among them, 38.2% were payment service accounts. Healthcare and Military facilities are also outsmarted by hackers, pointing to a great challenge for mankind.
So, you can understand already, how passwords are losing their authenticity. This is why, more specific verification, like biometric authentication, is the necessity of today’s world, not luxury. And W3C’s 4th March 2019 announcement on finalizing Web standard for WebAuthn has made a great deal of advancement towards the future password-free digital world.
What is WebAuthn
Let’s clear out the terms in ‘English’ first. We are targetting WebAuthn for a starter.
- Full name is Web Authentication. What is it? Nothing that you didn’t see before. It’s the extra layer of security you are asked to go through in two-step verifications in some places. Gotcha! Then why are all these fusses?
- Actually, you have seen it someplace, but not everywhere. Dropbox was among the first list of services to implement the U2F keys earlier at 2015.
- Google shook hand with Fido Alliance in 2013 to provide more secure services to their clients, and started using the security keys since their Desktop version 67.
- But other browsers like Mozilla Firefox (didn’t support completely FIDO U2F, the predecessor of WebAuthn) are going to use it at a full fedge after 4th March announcement. And that’s another big step to make it official for everywhere to be used as an open standard.
You can watch the video on this topic, provided by the Google developer blog site.
- World Wide Web Consortium (W3C) (the leading organization of the World Wide Web) has finally made their call for WebAuthn to make official, that is to implement the standardized protocol for phishing-resistant to be placed in all the Web applications. That is what is meant by enabling Web Standard by W3C – generalizing an aspect for the entire internet world.
- From now on, all the web browsers including Mozilla Firefox, Apple Safari (using preview version), Microsoft Edge, Google Chrome are going to use the 2-step verification for better security purposes.
- The WebAuthn Level 1 Standard was introduced as a W3C Recommendation by the association of FidoAllince(Fast IDentity Online) with W3C (Web Authentication Working Group born on February 17, 2016).
- Brett McDowell, the executive director of FidoAllince explained, “The Web Authentication component of FIDO2 is now an official web standard from W3C, an important achievement that represents many years of industry collaboration to develop a practical solution for phishing-resistant authentication on the web.”
- The evolution on the WebAuthn standard was pioneered by FIDO donating the FIDO 2.0 identifications to the W3C in 2015.
- The new standard is somewhat different from its predecessors since it has an additional feature to generate a unique “user-handled” identifier for each individual account, which wasn’t possible before.
- Yet, older FIDO U2F(Universal 2nd Factor) security keys are also compatible with this new standard.
- WebAuthn grants users the opportunity to sign in to the websites based on their phone numbers, biometrics, or FIDO security keys. It is standardized also by Windows 10 and Android OSs.
How it works
The updated version of FIDO U2F, i.e., the Web Authentication (WebAuthn) API works in a similar way to create a connection between a website and a web browser via an authenticator.
WebAuthn Work Flow
- Here, the multi-factor cryptographic authenticator implements a public-key based on the FIDO CTAP (Client to Authenticator Protocol), for the verifier to authenticate.
- The verifier website is called as the WebAuthn Relying Party.
- Besides a roaming hardware, a software(e.g., inside smartphones) and a platform(a token, directly implemented inside the WebAuthn Client such as the web browser or any other Client Device) hardware can also pass the eligibility as an authenticator here.
- Authenticators can be created inside the platform itself, or can be provided by a USB, or NFC (Near-Field Communication), or BLE (Bluetooth Low Energy).
- It asks for a PIN (mostly biometrics such as a fingerprint or similar physical keys created using cameras in personal devices or mobile generated OTPs) to verify a particular user.
- FIDO2 makes sure to maintain the uniqueness of their login portals throughout each of the websites.
- Besides, security PINs are only device-oriented, keeping no data inside the server itself.
- Websites can enact the FIDO2 API across all the supporting browsers and platforms over a billion devices.
- The supporting browsers always provide an interface called as the PublicKeyCredential, or AuthenticatorResponse, or AuthenticatorAssertionResponse, or AuthenticatorAttestationResponse, along with other data types including various dictionaries.
- The initial creation of the private key is not permitted for further alteration.
- The browser implements a JavaScript API, which calls upon the authenticator to be verified by the WebAuthn Client Site.
- Two of the JavaScript methods (navigator.credentials.create() and navigator.credentials.get()) are used here as the Credential Management tools to receive a new publicKey variable.
- The create() method controls the registration and initialization of the public key. Whereas, the get() method manages the verification process at the time of every login.
The FIDO Alliance has launched a certification program along with some testing tools for the website vendors to check before implementing the WebAuthn API.
To elaborate the convenience of the WebAuthn, Dropbox explained as an example, “Security keys prevent phishing by giving Dropbox cryptographic proof that you both have your key and are using it on https://www.dropbox.com(instead of a phishing page).” Again specifying, “Unlike passwords, the secrets used in WebAuthn never leave your security key, so they are significantly harder to steal. And before using a secret to authenticate to Dropbox, the security key checks that you are signing in to the right place. You can feel confident when signing in that it’s really us, and we can be confident it’s really you.”
In the end, we can say that the WebAuthn security system may not be the best protection mechanism to hold back phishing altogether, but this is the ship ready to sail through the present storm. It may have its own flaws, but this is the current best option what we have got. In the distant future, let the felony break through the chains, we will again be ready against all the odds together. Until then, let’s enjoy surfing through the internet with less anxiety.