Death of the Password: An Introduction to WebAuthn
Last week, I received an email from Google stating that my email and password had been leaked in a recent data breach. Like many people, I’m guilty of reusing the same password for multiple accounts, so the leak had compromised my information in a number of different locations. I was advised to change all of my passwords and to use different passwords for each of my important accounts.
Of course, I am not alone in this situation – at this point most people have had their email or password leaked on some occasion. (If you don’t know if your passwords have been compromised, you can check the website http://haveibeenpwned.com/ to see if your personal information has been a part of any data breach). Fortunately, the age of password protection may be coming to an end. In this post I’ll examine the added measures of security you can use to protect your information, as well as the new technology that is being developed to replace our password-centric system.
The Problem with Passwords
The faultiness of a password typically results from an issue in one of three areas:
- Our ability to set and remember our password: We, as humans, do not have the mental capacity to keep track of dozens of complex series of letters, numbers, and symbols simultaneously. As a result, many of us re-use passwords and create passwords that are in some way personally significant to us. This makes our passwords relatively easy to crack.
- Our ability to protect our password: As anyone who has taken an “internet safety” seminar can attest, cybercriminals are constantly coming up with new ways to trick you into revealing your password. Phishing, for example, is one of the many ways that we can be tricked into providing sensitive information, such as our email or password.
- The ability of the website to protect our password: You are not the only person responsible for the security of your password. When you use a password to enter a website, you are also trusting that website to protect your password. If the website is compromised, it is possible for your password to be leaked through no fault of your own. Therefore, passwords are only successful if the website is able to both store your password safely and send your password securely.
Multiple Factor Authentication
To help negate some of the faults associated with your password, you can further protect your important accounts by using Multiple Factor Authentication (MFA). MFA provides an extra layer of security and reduces the chances of phishing. Even if your password is compromised, you still have an extra security layer that must be overcome to reach your information.
There are numerous MFA methods that you can use with your accounts, including:
- SMS confirmation code
- Voice codes
- Mobile push prompt
- Authenticators One Time Password
- Security Token
However, there are tradeoffs for the added layer of security that MFA provides for your accounts. Firstly, MFA requires you to have your authentication device handy any time you login. This means that if you do not have your authentication device with you (for example, you forgot your phone at home) you cannot access your devices.
Secondly, MFA makes the login process less efficient, as it requires you to go through multiple authentication steps every time you access your account. And finally, if you lose your authentication device, it can be incredibly hard to change your password and/or access your account.
Despite the tradeoffs, MFAs are a great way to help secure your important accounts and bolster your password protection.
WebAuthn: The Perfect World Password Solution
In a perfect world, you would be able to create a password that was easy to remember, hard to guess, and easy to change. This is exactly what the World Wide Web Consortium (W3C) and the Fast Identify Online (Fido) Alliance have been trying to create. The W3C and Fido Alliance have developed a new standard called WebAuthn.
WebAuthn is a login system that forgoes the need for passwords altogether. Many companies, including Google, Mozilla, and Microsoft, are part of the alliance, indicating that WebAuthn will be widely accepted once it is released.
The Benefits of WebAuthn:
The WebAuthn standard provides a number of benefits, including:
- Asymmetric Encryption: Asymmetric encryption is a type of encryption that uses two cryptographic keys to encrypt and decrypt data. WebAuthn leverages asymmetric encryption to register and authenticate users. This eliminates the need for passwords altogether.
- The Use of Public-Private Key Pairs: Instead of passwords, the asymmetric encryption creates a public-private key pair that you use to login.
- Registration of New Users without Using Passwords: Instead of sending a password during login, the private key on the user’s side is responsible for encrypting the authorization and then sending it to the website in a secure manner.
- Private Key Security: The private key does not have to be shared or compromised in any way because it never leaves your browser. Meanwhile, the public key can be stored in the website’s database without concern because it does not contain the access to your personal information. This means that even if the website is compromised, your information will not be leaked.
The WebAuthn Process
WebAuthn is primarily used in two scenarios: When a user creates a new account and when a returning user signs in to their account.
Scenario 1: Creating a New Account
When you create an account for a website that uses WebAuthn, the following procedure will occur:
- You will go to your browser, type in your username, and send it to the server.
- The server will search for the username to see if it is already in use. If it does not find the username, the server will create a randomly-generated challenge code for the browser to sign using asymmetric encryption.
- The browser will receive the challenge from the server and create the public-private key pair to be used.
- The browser then signs the server’s challenge with the private key, and authenticates the server by verifying that both communications had the same origin. The application programming interface (API) that is used to complete these navigation credentials is already present in several browsers, including Google Chrome, Mozilla, and Edge.
- Once the challenge has been signed and the server origin verified, the browser passes the signed challenge to the server and shares the public key. The challenge can only be verified using this public key. If a cybercriminal wants to use another key, it won’t return the same information that the server sent you.
- The server stores the key to be used for future requests.
When you create a new account using WebAuthn, an ID for your account is also generated by the server. This ID allows you to have multiple public keys for the same site so that you can login with multiple devices. This means that the verification keys you use to login will be different for each device you own.
Scenario 2: Logging In to an Existing Account
Once you have created an account with a website that uses WebAuthn, you will then use WebAuthn each time you want to access your account. When you login, the following procedure will occur:
- You will go to your browser, type in your username, and send it to the server.
- When the server finds the public key associated with your username, it will send a new challenge to your browser. This step is very important because a new challenge being randomly-generated each time you login creates a method of communication between your browser and the server that is far more secure.
- The browser will sign the new challenge with the private key.
- The browser will return the signed challenge to the server.
- The server will use the public key to authenticate the challenge.
- If the authentication is successful, the server will grant you access to the website.
The WebAuthn method of authentication is extremely secure because it removes the reliance on server security and human memory.
WebAuthn and the Client to Authenticator Protocol
In addition to WebAuthn, the Fido Alliance also developed the Client to Authenticator Protocol (CTAP). The CTAP creates new interactions between the browser and some of the security layers that are already present in your mobile device. This allows the browser to verify your identity using physical authentications, such as fingertip scans, facial recognition software, or USB keys.
The combination of WebAuthn and CTAP creates some intriguing use cases. With these two protocols, we now have the ability to securely gain access to the web using hardware authenticators in our devices.
For example, if you are creating a new account on a website that uses both protocols, you will enter your username and click “register.” Your browser will then ask you for access to facial recognition or a fingertip scan, which it will use to sign the challenge from the server.
Though these technologies are still in the early development phase, they offer the possibility of a promising passwordless world in the near future. Until then, don’t forget to use unique passwords and MFA to protect your personal information.