On March 4th, 2019 the W3C and FIDO announced the ratification of WebAuthn. Shortly after, OneLogin announced support for WebAuthn (Web Authentication API) within the OneLogin offering. This may seem like a nothing burger, but in reality, it will change the way we authenticate.
Let’s take a simple example. As we use our mobile devices to accomplish daily activities, we are bombarded with ways to authenticate that aren’t ideal on a mobile keyboard. Entering multiple passwords, or even responding to OTP push notifications, isn’t user-friendly on smart devices. Similarly, many new desktops now have biometric sensors that allow you to authenticate with facial recognition or thumb readers.
Why can’t we use those to authenticate to web resources? Up to now, the short answer has been the absence of a standardized way to accomplish this. Developers were forced to use proprietary APIs specific to various platforms to enable the capability. The end result was suboptimal integrations and, often, inconsistent user experience across various platforms and browsers.
Over the last few years, we’ve been inundated with countless reports of security breaches, identity theft, and account takeover. We’re constantly reminded that using the same password or pattern at various websites is a very bad practice. The industry tells us the answer to these problems is multi-factor authentication (MFA) or two-factor authentication (2FA). In this case, they’re right! Using MFA or 2FA to protect your user identities is highly effective to combat the threats I mentioned previously. By enabling MFA for your accounts, you can effectively reduce threats to yourself and your company by 99.9%.
Unfortunately, MFA is perceived as difficult or inconvenient for end users. Rather than entering a user ID and password, users are also challenged to provide another factor to prove that they are who they claim to be. Of course there are many authentication factors that provide different levels of security, usability, and cost for an organization. These include items like passwords, security questions, knowledge-based questions, hardware tokens, OTP, mobile PUSH, and dongles like Yubico Yubikeys and Google’s Titan Key.
MFA doesn’t have to be difficult, especially when users can choose from different types of authentication. Given the number of authentication types, the authentication type a user chooses often boils down to preference. Sometimes users want to decide which type of authentication factor they would like to use. Enabling users to select their form of MFA, whether it be at work, shopping online, or accessing government services is a great benefit.
Many of us have new and shiny smart devices like an Apple iPhone or Google Android phone. These phones have advanced features that support items like near-field communication (NFC), Bluetooth, and embedded biometric sensors like Apple’s TouchID and FaceID. Android devices have similar capabilities. So, we’re already growing accustomed to using our phone’s capabilities when logging into websites.
Now, back to WebAuthn. Sometimes referred to as FIDO (Fast Identity Online), FIDO2, or U2F—these terms describe the efforts that were ratified by the World Wide Web Consortium (W3C) in March. WebAuthn is the culmination of many years of effort by very smart people who feel deeply about identity, privacy, and enabling a more secure and usable internet. WebAuthn articulates a set of standards that define how various types of authenticators can be used for employee, customer, partner, contractor, or citizen access requests. WebAuthn makes authenticators available for use by many of the websites and services that you probably use today. The strength of these items, besides usability, is that they utilize the cryptographic capabilities of devices to assure that authentication materials are stored on the actual user device, and not transferred or stored in the users’ identity providers’.
Here’s an example. Suppose we wanted to allow a OneLogin customer’s end-users to leverage biometric authenticators as a second factor on their smartphone. Before WebAuthn, OneLogin would have to implement proprietary APIs to integrate the biometric capabilities of iOS and Android or the Mac and PC into their MFA offering. This is not very efficient for OneLogin and, as new authenticators are created, they would need to be integrated as well. This scenario isn’t a sustainable.
WebAuthn enables Identity Providers like Facebook, Google, Amazon, and OneLogin to implement an authentication strategy that allows a user to define which authenticator makes the most sense to them. So, instead of the sites you visit deciding which authenticator should be used for MFA—you, the user—gets to decide which authenticator you would like to use. Maybe you’d like to use your Mac’s fingerprint reader as your second factor. Maybe you’d prefer to replace the usage of a password on your phone with your phone’s thumb reader. Regardless, the user is given the opportunity to decide which authentication factor makes most sense for them, their company, or the sites they frequent.
WebAuthn is new, and it is going to be a new experience for many users, so the sooner you start to understand its strengths and constraints, the sooner you will be on a path to a more secure, robust, and scalable web authentication experience.
OneLogin believes that WebAuthn has enormous potential for identity providers and users. We’re excited to provide this support to our customers very quickly after the standard was adopted. But, don’t take our word for it! Spin up a OneLogin instance and try it for yourself!
