Stina Ehrensvärd, CEO and Founder of Yubico, talks to Intelligent CISO about how WebAuthn could be set to put an end to account takeovers and stolen credentials.
Recently, the World Wide Web Consortium (W3C) approved a new standard for secure web authentication: WebAuthn. WebAuthn is the first global standard for web authentication and is on track to be supported by all platforms and browsers, marking a milestone in the history of Internet security.
With much of our personal and business lives now online, the need for stronger security has never been more important to protect our digital identities. With WebAuthn, there is now a clear path to addressing the problem behind the vast majority of security breaches — account takeovers due to stolen online credentials.
What is WebAuthn?
The development of the WebAuthn specification was more than a three-year process but it actually represents the culmination of more than a decade of innovation and seven years of standards work. Starting first with the adoption of the Universal Second Factor (U2F) standard, pioneered by Yubico and Google, then followed by FIDO2 and now WebAuthn, these standards are a natural evolution built upon each other to bring together new important security capabilities for the modern web:
- Phishing resistance: As an evolution of the U2F standard, WebAuthn uses asymmetric (public-key) cryptography and origin bound key validation to verify the authenticity of the website where authentication is taking place. These built-in security checks significantly reduce the vulnerability to phishing attacks and resulting credential theft.
- Passwordless login: WebAuthn reduces reliance on weak passwords by making it easy for developers to create secure applications using a choice of stronger authentication methods. With support for WebAuthn built in to platform and operating systems, it is now possible for application developers to upgrade authentication with a choice of modern authentication methods.
- Modern authentication options: WebAuthn provides users with the option to register a choice of authenticators to their account, including external hardware security keys as well as built-in authenticators such as fingerprint sensors or facial recognition cameras included in many devices.
This choice of authenticators now provides users with a much-improved experience for account management and recovery. For example, a user can choose to use a fingerprint reader to log in to mobile apps on a mobile device and also register a hardware security key. This makes it easy to quickly establish access to accounts on a new device if the original device is upgraded, lost, stolen or compromised.
Putting an end to account takeovers and stolen credentials
For years, users have been reliant on usernames and passwords to protect their online accounts. Today, millions of user credentials from data breaches around the world are now accessible on the web, including 773 million records known as Collection #1, making stolen credentials the cause of the vast majority of account takeovers.
With WebAuthn, users no longer have to rely on the weak security of passwords. Going forward, users can expect services to offer WebAuthn strong authentication methods including the option to use security keys and built-in platform authenticators to protect online accounts.
WebAuthn represents a major step forward in Internet security, paving the way to a world of user-friendly and highly-secure password-free authentication.
With the approval of the new WebAuthn standard, major web browsers and operating systems already supporting the standard include Microsoft Edge, Mozilla Firefox, Google Chrome and Google Android with Apple Safari actively testing the API.
This innovation provides application developers and service providers the option to deliver stronger security for users, while enabling an easy to use login experience that takes us all beyond the historic problems of passwords.
Users who would like the highest form of protection for their online accounts should request support for WebAuthn from their favourite or most-used online services including banks, tax preparation software, government services and online shopping sites.
Developers and online services that are serious about delivering highly secure and easy-to-use login methods for their users can rapidly add support for WebAuthn. Yubico and other WebAuthn contributors offer developers reference documentation, testing tools and open source servers to enable rapid implementation of WebAuthn.