The idea behind WebAuthn (Web Authentication)In the past, the only way to confirm your identity on the internet was by using a combination of your username and password. With user names (in some cases an email address is used instead), a user specifies which account they want to access. A password that only the user knows is then used to confirm their identity. This procedure has proven to not be very efficient in the past: Since it is very cumbersome, users tend to simplify it on their own by using easy-to-remember character combinations – which can be cracked quickly – or they the same password for every account. To counter this, password managers and multi-factor authentication (MFA) were introduced. But many users don’t take advantage of these measures. The World Wide Web Consortium (an association of IT companies that regularly publishes standards for the web) realized this and began looking for a solution. Together with the FIDO Alliance (a cooperation of different companies for uniform authentication measures) several measures were developed for the FIDO2 project: In addition to the FIDO Client to Authenticator Protocol (CTAP), a new standard now exists: WebAuthn. The Web Authentication API (also known as WebAuthn) is a specification written by the W3C and FIDO Alliance, with the participation of Google, Mozilla, Microsoft, Yubico, and others. The API allows servers to register and authenticate users using public key cryptography instead of a password.
WebAuthn (or Web Authentication) is a uniform authentication option that no longer relies on passwords, but rather on biometric data. Users are able to log into their accounts using fingerprints or facial recognition. Today, many devices (especially smartphones and laptops) are already equipped with the corresponding hardware and software, which makes it a lot easier for users. Alternatively, a hardware token can be used to identify the user. Since users always carry this information with them, they can neither forget it nor pass it on without thinking: With WebAuthn, phishing could be a thing of the past.
UI Text Box |
---|
| Moreover, since users no longer need to create passwords and user names, there is no risk of using the same data for different accounts. The standard ensures that unique login information is available for each user’s account. You only have to register your authenticator (fingerprint, security key, etc.) once with the web service and can then use the convenient log-in. Since different data is used for each account, there’s no tracking possible across different websites with WebAuthn. |
|