WebAuthn: Go passwordless
Did you know that almost 80% of data breaches that happen today are somehow linked to a compromised password?
source: https://spycloud.com/blog/key-takeaways-from-the-verizon-2022-data-breach-investigations-report/#:~:text=In%20its%2015th%20annual%20report,into%20the%20data%20breach%20problem.
Common practices like below make passwords vulnerable
1) Weak Passwords
2) Reusing the same password across multiple sites
3) Using common patterns like D.O.B etc for password
To add more to the list, Phishing attacks and Brute force attacks (where hackers can use automated tools to systematically try different combinations of passwords until they find the correct one) lead to compromised passwords.
So how do we make sure hackers don't get easy access to our data?
Today browsers like Chrome suggest a strong random password when you are registering to a site. They will also save the password for you for easy login next time.
Many sites also do MFA (multi-factor authentication) and impose extra layers of authentication by asking users to provide OTP etc.
These steps do mitigate the password vulnerability issue but one major issue is the adoption. As it's not a great user experience and people tend to get annoyed providing OTP each time they don’t enable MFA for most of the sites.
So can we strengthen the login procedure and as well make the user experience better?
Yes, we can. WebAuthn to the rescue. WebAuthn provides authentication using native biometric options present on the device replacing the need to enter a username/password.
You might have experienced biometric authentication on some Android apps already.
WebAuthn Workflow
1. During the registration process, the user provides some form of biometric input (fingerprint, face id, etc) depending upon the device.
2. Using the biometric input, the user’s device generates a public/private key pair for the service/website user is registering to.
3. The public key is shared with the service/website and the private is securely saved only on the user’s device.
4. After this when the user initiates the login process, the server sends a challenge generated using the public key.
5. In UI, the user is prompted with the device’s authenticator screen to provide credentials. When the user provides the correct creds (fingerprint, face id, etc) device extract the private key associated with the user account for that service /website.
6. To solve the server login challenge client device uses this private key and sends a response for the server to validate.
7. Post successful validation, the user is logged in.
Advantages
1. More secure as username/password combination is not sent over the network for verification.
2. Better user experience, as this removes the hassle for customers to provide username/password.
3. User credentials are stored in the user device only and not in some database, making it secure in case of database compromise.
WebAuthn is now supported on all major browsers (https://caniuse.com/?search=webauthn). There are cross-platform authentication solutions available using Yubikeys.
I hope to see more adoption of this in the coming days.
It’s a great way to provide secure user authentication and remove reliance on passwords.