The vision of a secure, passwordless experience on the web has long been on the minds of security professionals and password-fatigued users. An open standard called Web Authentication (or “WebAuthn”) is rapidly progressing towards achieving that vision after hitting a major milestone this week.
Specifically, on April 10 the World Wide Web Consortium (W3C) and FIDO Alliance announced the promotion of the WebAuthn spec to the “Candidate Recommendation” stage, the precursor to the final approval of a web standard.
A primer on the FIDO Alliance
The FIDO (“Fast IDentity Online”) Alliance is an industry consortium launched in 2013 to improve the interoperability among strong authentication devices to reduce the reliance on passwords and improve security. FIDO was involved heavily in driving the new WebAuthn spec, but was also previously responsible for two specifications that aim to solve the strong authentication problem:
Universal Second Factor (U2F): Initially developed by Google and Yubico, the FIDO Alliance now hosts this open authentication standard. The U2F protocol is designed to provide a strong second factor based on a cryptographic handshake, mitigating the risk of man-in-the-middle attacks. It’s typically deployed via a USB or NFC device.
Universal Authentication Framework (UAF): The FIDO Alliance began working on this protocol back in 2014, with the goal of enabling a secure passwordless experience for primary authentication, as opposed to a second factor as described in U2F. Under the spec, the user presents a local biometric or PIN and authenticates into the service. This protocol is not yet embedded in the major browsers, which has limited its adoption.
What makes WebAuthn different?
WebAuthn has been in the works since 2016 when security professionals banded together to research a better way to handle authentication on the web. You can think of WebAuthn as an evolution of the FIDO U2F and UAF protocols. WebAuthn continues in the FIDO tradition of allowing for using credentials for step-up authentication. However, its most significant innovation is in enabling users to authenticate to services without necessarily needing the user to identify themselves first, through the use of a username and password combination.
As we learned with UAF, a critical component to mass adoption of web authentication protocols is having the support of major browsers. The WebAuthn spec includes contributions from Microsoft, Google, and Mozilla among others, which is why many are optimistic about the success of WebAuthn adoption.
In fact, the W3C web standards body announced that Google, Microsoft, and Mozilla had committed to supporting WebAuthn, although Apple’s Safari has yet to announce support of the new standard.
Okta and WebAuthn
At Okta we are thrilled to see the evolution of these FIDO protocols and have long shared the vision of a secure, passwordless world. Broken authentication practices have given rise to a range of identity attacks, and our Adaptive Multi-Factor Authentication solution is designed to mitigate these risks while minimizing the impact on the user. But until now, the primary browsers haven’t provided a secure way to eliminate the password as a primary method of authentication.
As the WebAuthn protocol moves forward in its implementation, we’ll be there to support it. Okta currently supports an integration to Windows Hello that closely resembles the WebAuthn protocol, allowing users to perform step up authentication using facial recognition or PIN verification in the Hello framework.
Okta is committed to supporting open standards for authentication, and as the W3C finalizes the WebAuthn spec, we will look to incorporate the full WebAuthn implementation into our service. This will allow customers to use WebAuthn compliant platforms and authenticators for performing step up and passwordless authentication into the Okta service.