Overview#
WebAuthN is an Abbreviation of Web Authentication API.Some other user Abbreviations within WebAuthN:- FIDO — Fast IDentity Online, or FIDO Alliance. is a consortium that develops secure, open, phishing proof, Passwordless Authentication standards. FIDO Protocol Family is a set of protocol that was developed by FIDO Alliance.
- UAF — Universal Authentication Framework
- U2F — Universal Second Factor
- FIDO2 - generally implies "Use any of the three protocols"
- CTAP — Client To Authenticator Protocols — A set of low level protocols to communicate with the WebAuthn Authenticators over the BLE/NFC/USB. CTAP family includes CTAP1 and CTAP2 protocols.
- CTAP1 — A formal name of U2F protocol.
- CTAP2 — A name for second version of the CTAP protocol. The main characteristic is use of CBOR for encoding structures, backwards compatibility with CTAP1(U2F), extensions and new attestation formats. Both CTAP1 and CTAP2 share same transport layer, so the version difference is mainly the structural.
- WebAuthN — A browser JavaScript API that describes an interface for creating and managing Public Key credentials.
FIDO 1.0: U2F and UAF#
In 2014, FIDO published the Universal Authentication Framework (UAF), which was intended to implement passwordless authentication through biometrics. They then added Universal 2nd Factor (U2F), developed by Google and Yubico as a more secure replacement for traditional OTP-based two-factor authentication (2FA). U2F included its own client-side protocol, Client to Authenticator Protocol (CTAP), which could be used to authenticate a token via USB, near-field communication (NFC), or Bluetooth. By doing this, FIDO 1.0 implemented public-key encryption in a way that overcame the inherent vulnerabilities of OTPs sent across insecure networks. Instead of a simple pin, a private/public key pair was created during registration for a service, with the private key secured on the user's token or device, and never transmitted. This meant there was nothing to intercept and steal. All the service provider retained was the public key associated with the user.Nevertheless, FIDO 1.0 was still two protocols built to do different things and created in the interests of two different players—an industry alliance backed by PayPal (UAF), and Google (U2F). But one big name was missing (Apple), and set about implementing their own biometric authentications, namely Touch ID and later Face ID. The risk was that FIDO would become fragmented, with the user experience dictated by platforms and devices.
On the plus side, UAF had embedded support for biometric authentication inside mobile devices, while U2F was supported natively inside the world's most popular web browser, Chrome. This meant that FIDO authentication wasn't something users had to enable or download—it was an embedded capability, of which many already had access.
FIDO2 and Web Authentication API#
FIDO2 is a further development of Google and Yubico’s U2F protocol with an expanded version of CTAP, now called CTAP2.While U2F was designed to act as a second factor for passwords, FIDO2’s purpose is to allow Passwordless Authentication. It does this via a new Web Authentication API (WebAuthN). This API allows web applications to use Public Key encryption and Authenticators directly. So where FIDO1.0 still required usernames and passwords, FIDO2 has created the architecture needed to do away with traditional credentials.
WebAuthn with CTAP2 has two important capabilities. First, it's backwards-compatible and complementary to U2F and UAF, so anyone using those technologies can continue to do so even as efforts shift to WebAuthn and CTAP2. Second, WebAuthn has been adopted by the World Wide Web Consortium (W3C), meaning it’s an open web standard, rather than one backed by just a handful of companies. Browser support for WebAuthn has been added to Chrome, Firefox, and Edge.
How will WebAuthn improve on FIDO 1.0 from the user’s point of view? By making authentication universal, easy-to-use, and allowing everyone to move beyond passwords (an authentication that has become a global security weakness). However, challenges remain, such as overcoming a lack of awareness about the need for authentication, and the perception that UAF and U2F were only intended for businesses and power users. This can be overcome by brands and service providers offering WebAuthn as a default option. The challenge over the next two years will be to get more ordinary web users to switch from passwords to WebAuth—it’s just a matter of trust.
LDAPWiki strongly supports open standards such as FIDO2 and WebAuthN.!! More Information There might be more information for this subject on one of the following:
- Best Practices Password
- CTAP2
- Client Device
- Client To Authenticator Protocol
- Clients
- Credential Management API
- Derived Credential
- FIDO Alliance
- FIDO Standards
- FIDO-CTAP
- FIDO2
- P-256
- Passwordless Authentication
- Platform Authenticator
- Public Key Credential
- RFC 8809
- Roaming Authenticator
- U2F
- U2F device
- User Verification Method
- Virtual Authenticator
- Web Authentication
- Web Authentication API
- WebAuthN
- WebAuthn Attestation
- WebAuthn Attestation Statement Format Identifier
- WebAuthn Authenticator
- WebAuthn Authenticator Model
- WebAuthn Extension Identifiers
- WebAuthn Registration
- WebAuthn-Registries
- What To Do About Passwords
- Windows Hello
