The World Wide Web Consortium (W3C) and FIDO Alliance have introduced a new specification for the FIDO Authentication Framework. WebAuthn (Web Authentication) is designed to promote a standardization of secure authentication on the web. It defines parameters for controlling hardware mechanisms (e.g. USB, Bluetooth or NFC). Major browser makers like Microsoft, Google, and Mozilla have committed themselves to the standard and will be implementing it in the future.

Functionality

WebAuthn is based on a previous FIDO specification called Universal Authentication Factor (UAF). It didn’t see much uptake at the time, one of the reasons being that it completely ignored mobile browsers. In contrast, WebAuthn will be able to achieve a large-scale market presence thanks to support from the big browser makers. As a result, it will play a significant role in modern web security.

A web service must offer WebAuthn as an authentication mechanism. The user will then be prompted to register their device for this service before they can proceed. To do so, they connect to the service from a compatible browser and start the registration process. The user can then select their locally saved identity and link it with the service. This presumably requires that they authenticate their identity with the conventional username/password method. From then on, they no longer have to rely on classic credentials and can instead sign in with their device.

Advantages

Once the user has jumped through all of the hoops required for registration, they can use a relatively simple and comprehensible mechanism for the purpose of authentication. They no longer have to deal with an endless array of authentication types and custom implementations. For the most part, they should be able to log into their online banking in the same way as they would their webmail or a web forum. Occasional users are especially likely to appreciate the simplification this brings to their day-to-day tasks.

The use of an asymmetric method greatly improves the security of any authentication process. The cryptography attributes of the mechanism prevent the easy theft of credentials for re-use attacks.

Because a new key pair is generated for each service, it is also possible to thwart so-called “birthday attacks”. In other words, the same credentials can no longer be used for authentication on two different services. This means that if there is a data breach on one service, this has no direct impact on the secure authentication on a different service. The rising number of data breaches and increased interest in the issue has made this a real problem.

Criticism

The registration always has to be completed with an alternative channel or method, typically with username/password credentials. An intruder can intercept, manipulate, or interfere with the registration during this phase, due to the classic problem of symmetric encryption: How can the pre-shared secret (key) be exchanged securely in the first place?

In the W3C press release, the Executive Director of the FIDO Alliance made a statement in which he reported that phishing-resistant authentication has finally arrived with WebAuthn. This is technically incorrect, because users can still be manipulated through phishing to carry out full or partial authentication. We have demonstrated this repeatedly in numerous client projects. Involving an additional factor merely complicates the reproducibility of an attack.

Furthermore, there is still a risk of errors during the implementation of the logical sequence. For example, the provider of a service is responsible for detecting and preventing the repeated use of the same successful authentication (replay attack).

Many authentication mechanisms, including multi-factor solutions, support the caching of authentication data. A USB flash drive could, for example, be configured as an additional factor and in such a way that it only requires authentication with a PIN or fingerprint every 30 minutes. This greatly improves convenience, but it can completely compromise security – at least during this timeframe.

What’s more, each new technical addition increases the code complexity of a browser and, in turn, the risk of programming errors as well. Observations of the exploit market clearly show how both the number of critical vulnerabilities in browsers as well as the commercial risk associated with these vulnerabilities is constantly increasing.

Nor should it be forgotten that the WebAuthn architecture harbors risks that may compromise user privacy. The systematic analysis of attestation keys makes it possible to track and log users across different services. The standard includes certain mechanisms for this in order to prevent these kinds of analyses. This requires the product developer to make a certain modification in the implementation. It remains to be seen whether these companies will take a proactive role in protecting the privacy of their customers.

Conclusion

Strict authentication is the proper way to address a number of well-known risks and an ever-growing number of new ones. The fact that these mechanisms are now being offered by popular services as a matter of course and that users are also making use of them is certainly a step in the right direction.

The goal of WebAuthn is to advance this standardization on the web. However, in doing so, a large portion of the logic is shifted to the client end – primarily the web browser. This rise in software complexity will make the target bigger for elements already in the sights of hackers.

WebAuthn can solve problems but create some new ones as well. Hopefully, the pros will outweigh the cons, but it is likely to take one or two years before we find out.

About the Author

Marc Ruef has been working in information security since the late 1990s. He is well-known for his many publications and books. The last one called The Art of Penetration Testing is discussing security testing in detail. He is a lecturer at several faculties, like ETH, HWZ, HSLU and IKF. (ORCID 0000-0002-1328-6357)

Links

• https://arstechnica.com/gadgets/2018/04/practical-passwordless-authentication-comes-a-step-closer-with-webauthn/
• https://duo.com/blog/web-authentication-what-it-is-and-what-it-means-for-passwords
• https://searchsecurity.techtarget.com/answer/The-FIDO-authentication-framework-What-do-enterprises-need-to-know
• https://www.theguardian.com/technology/2018/apr/11/passwords-webauthn-new-web-standard-designed-replace-login-method
• https://www.theverge.com/2018/4/10/17215406/webauthn-support-chrome-firefox-edge-fido-password-free
• https://www.w3.org/2018/04/pressrelease-webauthn-fido2.html.en
• https://www.w3.org/TR/webauthn/
• https://www.w3.org/TR/webauthn/#sctn-privacy-considerations