Using WebAuthn or Web Authentication clients can be verified with their phones, hardware keys, or trusted devices. In his article, Nick Steele explains the new standards in web authentication, followed by registration and authentication where you’ll find PIN and biometrics access methods, then he comments how web browsers use a credential manager API.
Trusted platform module devices that secure hardware through crypto keys and mobile phones are two of the many ways to authenticate via the web. Users can be authorized by fingerprints with biometric verification, although additional bio methods exist like retina and iris patterns, hand geometry, earlobe geometry, voice waves, and DNA. When a customer is accessed via web, passwords no longer will be necessary.
When a user registers, the created credential confirms to the web app owner that access is granted. This method replaces ordinary U2F cases, in which one security key instantly validates user presence. U2F is used by Facebook, Gmail, Dropbox, Salesforce.com, and GitHub. Think about the times when you’ve confirmed identity to Gmail by entering a number they send you via text message on your phone.
The author clarifies registration with an example: A user visits the website cat-facts.com from a laptop, registering for an account. By pressing the registration button, a prompt on their phone says “Register with cat-facts.com.” When they accept the request, the user could use a PIN or a biometric action (like a fingerprint) that will be linked to the created account. This action will display a confirmation: “Registration complete!” This user is now registered and the system has recorded the authorization gesture for future access.
The same image the author shares makes me think on my phone when I download an app from the App store.
The credential created by the user is a keypair, a public key associated to a private key. The device the user is trying to authenticate will send verification data to prove user identity. When the user confirms presence, the data will be returned signed by the credential private key, authenticating the user to the device.
To demonstrate WebAuthn, let’s imagine a user registered a second account at the site example.com and the person is browsing on a phone. As the user types the address example.com, the option to login is chosen and two accounts will be displayed. The user will select the account and then prompted to enter a PIN or a biometric authentication linked to the account.
Credential manager API and… the end of passwords?
WebAuthn aims to provide biometric multi-factor authentication unique, like a fingerprint from a smartphone, voice, or retina. Eye verification would be from a short range distance, although an iris scanner that captures an eye from 40 feet away has been already developed by the Carnegie Mellon University College of Engineering. The idea is to authenticate with particular traits to increase security and replace passwords.
WebAuthn currently only supports two-factor authentication that in most cases include username and password in addition to authentication via smartphone. If a biometric verification is not accessible, entering a PIN can work because still, it will be browser-protected by Google, Microsoft, and Firefox. Verification stored by browsers could be handled by a Credential Manager API that Google uses in Chrome. As W3 defines, the API enables a website to request a user’s credentials from a user agent, helping the user agent correctly store user credentials for future use.
The end of passwords is not near yet. The author predicts Firefox and Google could release the WebAuthn API within the next months.