What is the main thing which people want today in a web app or any app ?
- The ease of use and
- How fast the user can login and use your application without having to remember just another password.
You might be aware about the easy problem solvers like OTP login, Google OAuth etc.
But don’t you think that there still gotta be a better way?
Wait ! Wha. What… is that ?
The Web Authentication API (also known as WebAuthn) is a specification written by the W3C and FIDO, with the participation of Google, Mozilla, Microsoft, Yubico, and others. The API allows servers to register and authenticate users using public key cryptography instead of a password.
Basically in simple terms what they are trying to say is you can use your apple biometric, external USB biometric or devices to authenticate on your behalf and prove that you are an authenticated user.
Excited to know how this works?
The WebAuthn API is a way to authenticate users without using passwords.
- Prompt: When a device is registered with a new application or system, the WebAuthn “relying party” prompts the browser to generate a credential using public-key cryptography.
- Generates key: The system then asks the user for their preferred authentication method (biometric or possession-based) and generates a private-public key pairing.
- Private Key: It is given to the user and the public key is sent to the application’s server for storage.
- Public Key: It is uniquely linked to the user’s identity based on information gathered during the credential generation process.
Engineers be like: “Enough of this, can you explain in our language please?”
Yes I hear you bro. Let’s dive into some technical details.
The WebAuthn Authentication Flow:
Authentication is a similar process where the above-generated credentials are used to verify the user’s identity by going through a signed challenge process again.
There is a simple 8 step process that takes place:
- A user clicks on the login button on a site on their browser (user agent) and enters their username.
- The authenticating server (relying party) issues a challenge (a random set of data sent as an array) to the user’s browser along with the saved private key ID registered with the username.
- The browser sends this challenge & private key ID to the authenticator device.
- The authenticator device prompts the user to authenticate themselves.
- Varies based on the device ( Touch ID on a Macbook or touching a YubiKey).
- Post authorisation, the authenticator retrieves the generated key pair saved on it with the provided private key ID to sign the challenge.
- The authenticator device returns the signed challenge as well as details pertaining to the process back to the authenticating server.
- The authenticating server will now confirm the authenticity of the private key by using its saved public key to ensure the challenge was signed by the private key.
- And the user is Logged In.
Not in a mood to read too much? Have a look at this flowchart:
Got an adrenaline rush and want to try playing with codes already?
Read this blog and get some reference to an example project.
Currently, people are mostly using this as MFA (Multi Factor Authentication) but with more updates we could actually enable users to login directly using this process.
Here are the many benefits of using WebAuthn:
- Private/Public Key Based Authentication – Since this uses asymmetric cryptography by default, it’s a more secure way to authenticate users.
- Phishing Resistant – No domain- No Phishing. Since the domain name is stored in the authenticator, it’s harder for hackers to spoof websites and access credentials.
- Store Public Data in Your DB - Only public data is stored in the DB. No sensitive data such as passwords are required to be stored in this flow.
- Fine-Grained Control – You can control what sort of user interaction you want as a part of the flow.
- Better UX – Users need not to remember any passwords. Just use a hardware authenticator to login to the device.
- W3C Recommendation– This means it should be supported by all major browsers across your devices.
Benefits- also check
Time to implement.
Reach out to us if you want your products to be developed with expertise and want to go all passwordless.