jspωiki
Web Authentication API

Overview#

Web Authentication API (WebAuthn) is an API is an extension of the W3C Credential Management API that enables strong authentication with Public Key Cryptography, enabling passwordless authentication and/or secure Multi-Factor Authentication without SMS texts.

Web Authentication API is a W3C approved Standard as of 2019-03-04.

How Web Authentication API Works#

WebAuthn

User registers to a Website (WebAuthn Registration)#

The user arrives on a website (WebAuthn Relying Party) on their WebAuthn Client Device.

When logging into the website, the website offers the user several options for authentication using native support within all leading browsers and platforms. (WebAuthn Authentication)

User chooses an authenticator#

The user can register to the website using a wide choice of authenticators, including an external authenticator, such as a Security Key or an authenticator that is built into the platform, such as biometrics (e.g. Fingerprint recognition, Iris recognition, Facial recognition).

The recommended approach is for the user to first perform WebAuthn Registration with more than one Authenticator, perhaps using Roaming Authenticator that is Phishing resistant, and also perform WebAuthn Registration Platform Authenticator for subsequent authentication. The benefit of this approach is that if the WebAuthn Client Device is compromised in any way (lost or stolen), then the user still has an Roaming Authenticator that can be used to quickly onboard a new WebAuthn Client Device and re-authenticate to the WebAuthn Relying Party.

User authenticates to the website#

After the registration step, the user is authenticated to the service on the device.

Once the user has registered to the website they can choose to Log out and Login again with whichever authenticator is preferred by the user.

Rapid Credential Recovery from lost/stolen Client Device#

Allowing users to self-register multiple authenticators to each service makes it possible to rapidly recover from a lost/stolen device.

With WebAuthn, an external authenticator, such as a Security Key, now becomes a portable Roots of Trust enabling rapid recovery and bootstrapping of new devices.

Web Authentication API Details#

WebAuthn Relying Party employ the Web Authentication API during two distinct, but related, "ceremonies" involving a user.

A Public Key Credential is created and stored by an authenticator at the behest of a WebAuthn Relying Party, subject to user consent. Subsequently, the Public Key Credential can only be accessed by origins belonging to that WebAuthn Relying Party. This scoping is enforced jointly by conforming User-agents and authenticators. Additionally, privacy across Relying Parties is maintained; Relying Parties are not able to detect any properties, or even the existence, of credentials scoped to other Relying Parties.

Relying Parties employ the Web Authentication API during two distinct, but related, ceremonies involving a user.

Functionally, the Web Authentication API comprises a Public Key Credential which extends the Credential Management API, and infrastructure which allows those credentials to be used with navigator.credentials.create() and navigator.credentials.get(). The former is used during Registration, and the latter during Authentication.

Broadly, compliant authenticators protect Public Key Credential, and interact with user-agents to implement the Web Authentication API. Some authenticators MAY run on the same client device (e.g., smart phone, tablet, desktop PC) as the user-agent is running on. For instance, such an authenticator might consist of a Trusted Execution Environment (TEE) applet, a Trusted Platform Module (TPM), or a Secure Element integrated into the WebAuthn Client Device in conjunction with some means for user verification, along with appropriate driver software to mediate access to these components' functionality. Other authenticators MAY operate autonomously from the client device running the user agent, and be accessed over a transport such as Universal Serial Bus (USB), Bluetooth Low Energy (BLE) or Near Field Communications (NFC).

Web Authentication API Working Group have closely coordinated with the FIDO Alliance to ensure that FIDO2 Client To Authenticator Protocol (CTAP) implementations will work well with WebAuthn. We have also closely coordinated with the W3C Credential Management API work.

Relying Parties and Clients#

Relying Parties are web or Native application that wish to consume strong credentials. For Native application may also act as a WebAuthn client to make direct WebAuthn calls. In the web case, the entity that wants to consume the credential cannot directly interact with the Web Authentication API and so must broker the deal through the browser. Do not confuse WebAuthn Relying Party with Federated Relying Party, as there is there is no Single Sign-On WebAuthn Relying Party.

More Information#

There might be more information for this subject on one of the following: