WebAuthn

From Embedded Lab Vienna for IoT & Security
Jump to: navigation, search
WebAuthn logo

Summary

WebAuthn is an Application created by the FIDO (Fast Identity Online) alliance and the W3C (World Wide Web Consortium) to offer the possibility of passwordless authentication online. The latest recommendation is of March 2019 published by the W3C. Instead WebAuthn work either with the inbuild Authenticator of the device, such as fingerprint sensor or facial recognition, or with an extern media like an USB Stick for verification.

Goal

Its purpose is to offer a more secure and easy possibility to log into your online accounts without storing or remembering huge amounts of passwords to prevent the possibility of passwords getting leaked or forgotten.

Functionality

WebAuthn works with two ceremonies:

The Registration: The Registration involves a Relying Party, the server that hosts the Website, and the user client that must host at least one authenticator. To register, the user has to navigate to the website where he wishes to use Web Authentication and sign in using the method that was used to this point, which means for example a password. After that it is to choose to register this site from now an using Web Authentication, which leads to the request to submit the configures authorization gesture. When the provided gesture is accepted, the registrations is complete.

The Authentication: For the user, the authentication using the Web Authenticator works seemingly as a normal login with just the difference that instead of typing a password to verify its identity, the user uses the same Authentication gesture that he used to register to the site.

Authenticators

The authenticator is necessary to create a public key credential and to register with a Relying Party. There are two types of Authenticators:

Platform Authenticator:

The platform Authenticator is implemented on a device thus using a client device-specific transport called platform attachment. This authenticator is usually not removable from the device and the credential created with it is called platform credential.

Roaming Authenticator:

A roaming Authenticator is attached using cross-platform transport and is thus called a cross-platform attachment. They are removable from the device, such as an USB key fob, and the generated credential is called roaming credential

Example

Webauthn 1.PNG

First you have to navigate to the Website where you want to change the default login to WebAuthn, in this case it is the test website of WebAuthn, the link is provided below, so we create a new user and pick the option PMT for we are going to use the inbuilt fingerprint sensor of the laptop to verify our identity.

Webauthn2.PNG

The security feature now asks us to verify the identity with the same Authenticatior you want to use every time you log into the website. The choice will be stored with your ID and used every time you login.

Webauthn3.PNG

The login was a scucess and now we are able to login just using our fingerprint.

Webauthn4.PNG

You are ask to provide the same authentication which you used to login, in this case the fingerprint.

Webauthn5.PNG

If everything goes well, you are now logged in just using a fingerprint sensor!


Try it yourself if you want to! WebAuthn Demo

References