What is WebAuthN? Possibly the answer to all web authentication

With strong support from Google, Microsoft and other vendors, WebAuthN is poised to become a true standard for passwordless authentication over the web.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

For decades we’ve been trying to replace the easily hackable, ubiquitous, single-factor logon name/password authentication deployments with something better. At least for web-based scenarios, the answer is finally here in the form of the new Web Authentication (WebAuthN) standard and API. WebAuthN enables website owners and service providers to present a unique cryptographic challenge that is bound to its origin. Local authentication of any kind is stored on and never leaves the user’s device.

It is likely that within just a few years, most serious websites and services will be WebAuthN-based, particularly those using multi-factor authentication (MFA) and passwordless solutions. Even websites using single-factor, passwordless solutions will benefit by using WebAuthN.

The question is if WebAuthN is the right standard and can it be hacked? The answer is yes to both.

Introducing WebAuthN

The World Wide Web Consortium (W3C), the international group behind many of the Internet’s latest developing open standards, created the working group behind WebAuthN in February 2016. The first meeting was on March 4, 2016, and it used the FIDO Alliance’s FIDO 2.0 standard as a starting point. The WebAuthN standard defines the WebAuthN API and digital signature details, which need to be implemented in all clients and servers using WebAuthN.

To continue reading this article register now

SUBSCRIBE! Get the best of CSO delivered to your email inbox.