WebAuthn

WebAuthn is a browser feature to extend and strengthen sign in security by using hardware security. This will secure your account with a hardware device that you need to have in order to login.

Because WebAuthn uses public key cryptography as the method of authenticating the user it grants greater protection to user accounts using the site. Phishing attacks, data breaches and brute force login attacks are either eliminated or their harm is greatly reduced.

The hardware security can be provided be either the operating system (platform) or a physical device (cross-platform).

Platform security

Platform security is provided by the operating system you are running on and is restricted to the specific device you are using. This means that if you can authenticate webauthn with the operating system through Windows Hello, TouchId or similar.

You are proving who you are by proving you running on a specific laptop or phone and can authenticate on that device via fingerprint or facial login.

Cross-platform security

Cross-platform security is provided by physical device separate from the device you are running on. This can be a security key like a YubiKey or via an authenticator app running on a second device.

You are proving you have possession of the device required to authenticate.

Multiple devices

You can register multiple credentials against a single account. This means you can register using platform security on multiple devices as well as having physical keys registered at the same time and any one can be used to authenticate your account.

Depending on how you set up WebAuthn on the backend you could also set up the same passkey against multiple accounts on the same system.

Registration

Before you can use an authenticator with a system the authenticator must be registered against your user account on the system.

Authentication flows

There are different scenarios that WebAuthn can be used in a system

Basic verification

This can be a check on a specific area on a site where before you can perform an action you must first verify you have a passkey.

Example before you can delete a user you must first do an extra verification step.

Multi factor authentication

After you enter your username and password you are then required to perform an additional authentication step, this is similar to the code provided by authenticator apps.

Password-less authentication

You only need to provide your username and if your authenticator matches the username you will be allowed to login

Frictionless authentication

If your authenticator is only registered against the one account you can login without supplying either your username or Password. If the response from the authenticator can be matched to one account that account can be logged in.

Browser support

WebAuthn is supported across all major browsers, CanIUse

  • Chrome 67+
  • Edge 18+
  • Safari 13+
  • Firefox 60+
  • Safari iOS 14.5+
  • Internet Explorer (not supported)