Web Authentication (WebAuthn) – How to Get Rid of the Passwords Once and for All

Secfense meta 2a

Passwords however extremely important are seldom liked by any of us. Whether you are an advanced user; a developer or a casual user of Android or iPhone, nobody likes to enter passwords. Despite all the advancements in technology and the promises being made over the past half-century, up until now there hasn’t been any replacement came into existence for the passwords.

A nuisance about the passwords is to create a string of complicated mixture of characters, numbers, and letters and remembering that complicated password just tops it off. So, many of us prefer to create simpler passwords that are easier to remember but are even easier to break by hackers.

For a similar reason, almost none of us find it amusing to enter the password each time we have to log in. Most of us find it convenient just to avail social logins. So, we end up using the identity of one app or website for other apps as well, linking all our identities. Basically, when we are using federated logins, we agree to trust that website to keep our data secure and respect our privacy. And that clearly depends upon the website’s security system.

What are the benefits of social logins?

  • Quick sign up to a website or app
  • A uniform process to log into any site
  • Fewer web apps to deal with

What are the advantages of social logins for developers?

  • Free logins
  • Gives the app more exposure
  • Third party verification involved slows down the process of spam attacks
  • Mitigates the failed login attempts
  • Removes the problem of the ‘forgotten password’ incidents
  • Best suited for social apps as they need social login

Why social logins should be avoided?

  • Changes made to the external platforms can restrict a person from using third-party platforms services
  • The third party can execute data mining and might reveal user data
  • In case the third party can’t keep their platform secure and their data is exposed, your data would also be under threat
  • Social logins cause competition with your own brand identity such as by showing Facebook, Google, or etc. in your login forms.
Why social logins should be avoided
Why social logins should be avoided?

How password managers saved us?

It’s been sixty years since the technology experts have been trying to devise a solution which excludes passwords from our lives but no promise has been kept to this day. Password managers are a result of the same series of attempts. Password managers have made lives easier as they provide many services at a time.

  • All your passwords are kept in one place in encrypted form
  • Generates strong passwords
  • Automatically log you into sites
  • Stores payment information
  • Online payments are made easier
  • You no longer have to remember passwords

There’s no denying that password managers sure do create complex passwords for you. However, using malware that targets PC RAM and some pretty standard memory forensics, hackers could still theoretically extract a plain text master password, or individual credentials for password manager tools on Windows 10 and then use it to breach the password managers.  

And despite all the comfort password managers has brought to our lives, the fact still remains there that we haven’t yet gotten rid of passwords. If we are using password managers, we still have to create passwords that would remain stored in the password manager.

There’s another major potential risk associated with the password managers. When all of your passwords are stored in one place, all of them are exposed to the threat simultaneously. If a hacker gains access to your master password, he will gain access to all your password without making any further efforts which put you under greater security risk.

Imagine, you don’t have to remember passwords at all. Wouldn’t it be a dream come true?

After waiting and constant attempts being made for sixty years, a solution finally has appeared.

This new technology called Web Authentication (also known as FIDO2) is built upon the old cryptographic basic rules and is supported by most native devices and it frees the user from remembering the passwords.

WebAuthn A Promise to a Password free Future
WebAuthn: A Promise to a Password-free Future

WebAuthn: A Promise to a Password-free Future

WebAuthn has pure aim to be the replacement for the passwords of your online accounts. Many of the browsers such as Edge, Chrome, and Safari support WebAuthn. Its specifications are written by W3C (The World Wide Web Consortium). WebAuthn is exponentially gaining fame across the world and many individuals/companies are adopting this technology.

How end-users will benefit from WebAuthn?

In order to use WebAuthn the user needs an external security device such as FIDO2 security key or internal authenticators such as fingerprint readers, facial recognition or other biometric authentication mechanisms to log into the service. With these methods, you can log into as many apps as you like while creating as many identities as you wish while each identity would be unique and different from the previous one.

Each identity you create through the WebAuthn will be a virtual one, having no connection with any of the identities you previously created for different apps. This fact is simply a huge leap for net privacy.

Compared to the weak passwords that many people create and use for online websites, WebAuthn is far more secure.

Why? Because passwords are shared secrets that even when hashed can be stolen and used against some other apps. With WebAuthn even if the public keys get stolen, they are useless. With WebAuthn you don’t have to remember a string of characters as your password. So, there is no hazard of forgetting the complex password when you don’t have to create a complex password in the first place.

A great deal of motivation behind the development of WebAuthn was to alleviate the dependence on passwords and reliance on the authentication methods that get easily phished.

WebAuthn: An open standard

WebAuthn is an open standard for creating and accessing new key credentials, which is available for everyone. The individuals can create their own security key for the internet. WebAuthn has literally introduced us to a realm of freedom; freedom from the passwords. When WebAuthn arrived, it was necessary that the websites integrate it in order to enjoy its benefits in full swing.  Passwordless is still ahead of us but companies, like Dropbox are already taking advantage of WebAuthn to add a second factor authentication. Microsoft takes one step further and enables Webauthn natively in Edge browser. And now several websites and platforms have integrated WebAuthn which has made the end-user experience the best one.  Google, Microsoft, Yubico, MasterCard, Bank of America, and other renowned platforms came forward together to create a solution that frees us all from the passwords. All these renowned platforms have been trying since 2013 and eventually, they have created WebAuthn. The project was named FIDO2. Developers can have a password-free experience for their users. Because all the components are already there and you can create it with other technologies or on your own.

How existing authentication can work along with WebAuthn?

Besides external security keys, such as Yubikeys, Web Authentication also offers the users to use their existing authenticators’ such as cell phone’s facial recognition, fingerprint scanner, or retina scanner. You can use local authenticators with WebAuthn to unlock your machine and create and authenticate your identities. WebAuthn along with these technologies can be used to enable two-factor authentication to websites or can also be used as the primary authentication mechanism.

To use WebAuthn involves two steps; registration and authentication. After getting registered with WebAuthn, users can authenticate (login/sign-in) with the WebAuthn. Registration involves the creation of a new key pair and attestation but the authentication process doesn’t require information about the user and the relying party. Rather than creating attestation, authentication creates an assertion by using the key pairs generated previously.  

What has Web Authentication changed
What has Web Authentication changed?

What has Web Authentication changed?

Over the past few years, many companies have started to shun the traditional passwords and shift to comparatively more secure ways of authentication. These methods include biometrics, SMS verification, OTPs, security keys, and more.

Web Authentication works as a specification which, by using these methods, lets users log into the sites. Web Authentication has brought a solid authentication mechanism. Both authenticators and web browsers can implement this authentication mechanism. A great number of users can now use Web Authentication after the release of Firefox 60 and Chrome 67. Authenticators such as YubiKey already work with current implementation by supporting the necessary protocols.

For those who choose to use WebAuthn, there won’t be any need for them to create and remember the password.

Plus, several identities are created for different sites and apps. That being presented, we are now looking into the future that will recognize the passwords as something from the days of yore.  

This article is based on a Security Weekly podcast called Hack Naked News epidosde #218  with Paul Asadoorian with guest appearance from Marcin Szary. You can watch the full episode here.  

Antoni takes care of all the marketing content that comes from Secfense. Read More

Featured Articles

Keep In Touch

Read More

EMS Partner becomes a certified Secfense partner

Secfense and EMS Partner strengthen cooperation. The software integrator has obtained certificates in the area of Secfense Suite technology. The two companies have been cooperating…
Avatar of Antoni Sikora Antoni Sikora

READ TIME 2 MIN

Secfense – The most interesting innovation for the financial sector

Gala of Leaders of the World of Banking and Insurance The Gala of Leaders of the World of Banking and Insurance is a prestigious event…
Avatar of Antoni Sikora Antoni Sikora

READ TIME 2 MIN

Secfense implements strong authentication mechanisms at the Ministry of Infrastructure

The Ministry of Infrastructure has selected the User Access Security Broker offered by Secfense to support 2FA (two-factor) authentication using U2F/FIDO hardware keys. The tool…
Avatar of Antoni Sikora Antoni Sikora

READ TIME < 1 MIN

Testimonials

We are faced with new challenges every day. We must always be one step ahead of the attackers and know what they are going to do before they do it. We are convinced that the User Access Security Broker will bring security to a new level, both for those working at the office and from home. For us, working with Secfense is an opportunity to exchange experience with developers who put great value on out-of-the-box thinking.

Krzysztof Słotwiński

Business Continuity and Computer Security Officer

BNP Paribas Bank Poland

As part of the pre-implementation analysis, we verified that users utilize a wide range of client platforms: desktop computers, laptops, tablets, smartphones, and traditional mobile phones. Each of these devices differs in technological advancement, features, and level of security. Because of this, and also due to the recommendation of the Polish Financial Supervision Authority (UKNF), we decided to introduce additional protection in the form of multi-factor authentication mechanisms based on FIDO. As a result, users of our applications can log in safely, avoiding common cyber threats such as phishing, account takeover, and theft of their own and their clients’ data.

Marcin Bobruk

CEO

Sandis

We are excited to partner with Secfense to enhance our user access security for our web apps. By integrating their User Access Security Broker, we ensure seamless and secure protection for our applications and systems, delivering superior security and convenience to our customers.

Charm Abeywardana

IT & Infrastructure

Visium Networks

Before investing in Secfense, we had the opportunity to talk to its existing clients. Their reactions were unanimous: wow, it’s so easy to use. We were particularly impressed by the fact that implementing their solution does not require the involvement of IT developers. It gives Secfense a huge advantage over the competition, and at the same time opens the door to potential customers who so far were afraid of changes related to the implementation of multi-factor authentication solutions.

Mateusz Bodio

Managing Director

RKKVC

Even when the network and infrastructure are secured enough, social engineering and passwords can be used to gain control of the system by attackers. Multifactor authentication is the current trend. Secfense addresses this and allows you to build zero trust security and upgrade your current systems to passwordless applications within minutes, solving this problem right away,” said Eduard Kučera, Partner at Presto Ventures and cybersecurity expert – former Director in hugely successful Czech multinational cyber security firm Avast.

Eduard Kučera

Partner

Presto Ventures

One of the biggest challenges the world is facing today is securing our identity online. That’s why we were so keen to have Secfense in our portfolio. They make it possible to introduce strong authentication in an automated way. Until now, organizations had to selectively protect applications because the deployment of new technology was very hard, or even impossible. With Secfense, the implementation of multi-factor authentication is no longer a problem, and all organizations can use the highest standards of authentication security.

Stanislav Ivanov

Founding Partner

Tera Ventures

Two-factor authentication is known to be one of the best ways to protect against phishing; however, its implementation has always been difficult. Secfense helped us solve that problem. With their security broker, we were able to introduce various 2FA methods on our web applications at once.

Dariusz Pitala

Head of IT

MPEC S.A.