Going passwordless with WebAuthn
Somebody you know (or you) have a password 123456 or password.
Somebody you know (or you) use the same password across different accounts.
Somebody you know (or you) have had their passwords exposed in the breached databases.
Long story short, passwords are often extremely easy to figure out and therefore pose a serious risk to the security of networks, users, and data. A solution to this problem is to go passwordless. Leading the charge is WebAuthn, a standard for achieving secure, passwordless login.
What is WebAuthn?
The Web Authentication API, or WebAuthn for short, is a specification maintained by W3C and the FIDO foundation. Using WebAuthn, applications can increase security to prevent phishing attacks and improve user experiences with passwordless authentication. You can also use WebAuthn as an additional factor in a Multi-Factor Authentication (MFA) configuration.
How does WebAuthn work?
WebAuthn, instead of using a password for a web app, has Public Key Infrastructure (PKI) as its foundation, which creates a public/private keypair. The web app holds the public key, and the private key can be stored in a device the user controls. This device could, for example, be the crypto module on a computer, a mobile device or a physical key like a YubiKey. The keypair is unique for each web app, and as such, does not work with a different web app. This makes WebAuthn very resistant to phishing attacks wherein credentials are captured via a malicious app and then used for access in the actual app.
WebAuthn is one of the most robust and secure approaches to authentication available. The driving force behind its adoption has been Yubico, and the several flavors of its YubiKey is a defacto-standard for phishing-resistant authentication. In addition, WebAuthn is easily configured, and a YubiKey associated with a user brings a seamless approach to user authentication without the need for a password.
Some of the main benefits of WebAuthn include:
- No need to handle secure storage of passwords.
- No password needs to be passed from component to component, removing the complexity of securing that process.
- Breached web apps will not impact other apps since each app’s public key is unique. WebAuthn removes the “same password everywhere” problem.
- Enables passwordless authentication and can also be an additional factor for MFA.
- Phishing-resisting by tying the key to a particular server verified by the browser before allowing its use.
Where to learn more?
On March 9, join Curity and Yubico in the joint webinar — Phishing Resistant Passwordless Authentication with Curity and Yubico.
In this webinar, we will:
- Discuss why WebAuthn is the leading choice for achieving phishing resistant user authentication and why it is so broadly adopted;
- Explain what makes WebAuthn the best choice when implementing a secure authentication approach;
- Show a demo of how to configure and use YubiKey authentication options in OAuth and OpenID Connect flows.
You can register for the webinar here.