Posted On: 05-02-2019 | By: Chloe Harris | Topic: Security
In March of 2019, the world of technology experienced an exciting milestone that can be expected to entirely shift the way Internet users securely access their online accounts in just a few years.
Last month, the World Wide Web Consortium (W3C) ratified a standard known as the Web Authentication API, also referred to as WebAuthn. This standard enables web browsers to securely access websites using strong authenticators. This, in turn, can significantly lessen the risks of online attacks such as data breaches, phishing scams, or two-factor authentication attacks.
The WebAuthn standard is revolutionary in that it sets a stage where web service providers can choose to eliminate the use of passwords or receiving of SMS text messages to log in to websites. The user experience subsequently becomes safer and easier to navigate because users are no longer required to keep track of every single one of their passwords for each of their accounts.
Sites could use devices similar to Web Authentication API in the past, but they required specialized, vendor-specific changes to the site. In addition, users had to install support software onto their laptop or phone to allow communication between the hardware authentication device (the physical security key) and the website.
Now with WebAuthn, the ability for web services and devices to communicate through a browser is standardized into a well-known application programming interface (API). Website implementers need only know their part of the API while Web Authentication vendors can have broader support for their devices across more online services.
Several key players in the tech industry are combining their efforts in continuing the building of Web Authentication API: including Google, Microsoft, Yubico, and other authoritative entities in the field.
To put the already observed success of strong authenticators into perspective: Google recently required all of its employees to utilize strong authenticators as the primary method of accessing their accounts in place of passwords and temporary codes. Ever since this security standard was implemented, not one of the 85,000 employees has been subject to a phishing attack.
This is revolutionary, considering that the 2019 Verizon Data Breach Investigations Report concluded that 93% of data breaches were the result of phishing and pretexting.
Leaders in the IT industry are already recommending that WebAuthn API should be the standard followed by the conglomerate of browser creators.
The Web Authentication standard lays out the groundwork for standardized access to hardware security modules directly from a user’s browser.
The tool uses public key cryptography- meaning anyone can encrypt a message with a public key belonging to the receiver, and the message can only be decrypted by means of the receiver’s private key.
In practice, WebAuthn API could present itself in a variety of forms – all utilizing pairs of both public and private keys. When in the process of registering for a site or logging into an existing account, users could plug a USB device into their computer that would then grant them access to the site without the use of a password.
User’s cell phones could also function as the device that would be connected to the computer (instead of a USB device) that would allow a user to log in to their account or register for one.
Another method could present itself as a user visiting example.net on their computer to register an account. After they have clicked to submit their request for registration, the user would receive a notification on their phone prompting them to confirm that they were indeed attempting to register an account on example.net. After the user confirmed their registration attempt, their phone would then show either a short PIN to type into the web page on their computer or a request to scan their fingerprint/retina. After this confirmation, the registration process would be complete and the user would be granted entry to the site.
This method would apply for the login process as well.
At the time of publication, the standard is projected to be a mainstream service in the next few years.
While this standard has been tested on small sample sizes and heavily discussed in the IT industry, more testing and development must be completed before it becomes per diem practice for most web applications.
Several demos of Web Authentication are currently available to the public. Users may access and utilize these demos to understand how this standard securely stores account data and prevents unauthorized users from being able to access an authorized user’s account.
As an IT Advisory company specializing in security, Digital Maelstrom is eager to see the day Web Authentication is adopted across all web browsers.
This standard, as already demonstrated, is expected to greatly increase the security of accounts for online services which employ Web Authentication. We hope to see companies implement this standard of authentication to their web pages so that users can be confident that their accounts are safe from being hacked.
As this is a developing story, we will be posting updates throughout the growth of the technology to keep readers up to date on the development of WebAuthn.
For those interested in learning more, the Guide to Web Authentication by Suby Raman provides another holistic understanding of the standard. Those interested in trying out a Web Authentication API Demo directly through their own browser can access it here.
What are your thoughts on Web Authentication? When do you expect web developers to begin implementing this standard across web browsers? Do you have a web service and have questions about seeing WebAuthn implemented onto your site? Reach out and let us know your thoughts!