Overview#

WebAuthn Authenticator is an Authenticator that follows the WebAuthn Authenticator ModelWebAuthn Authenticator is a device that creates and stores user credentials. In a password-based authentication, the credentials (the passwords) are stored in the user's brain. In a WebAuthN scenario, the credentials are stored on a device. An authenticator can be a separate physical device, like a key fob connected to your computer via USB, Bluetooth, or NFC. It can also be embedded into the Operating System, e.g., Windows Hello, or into a User-agent. An authenticator can use interfaces to fingerprint readers or facial recognition sensors to confirm user credentials. Previously, the only authenticators compatible with this specification were dedicated key fobs, which users had to acquire themselves. Such a solution was sufficient for the needs of corporations and security-savvy individuals.

FIDO2 compatible WebAuthn Authenticator are built into Operating System and Mobile Devices. Thus, you can use your mobile phone as a WebAuthn Authenticator. The phone will use security features available on the device to protect your credentials. This could be a PIN to unlock the phone, or data from the fingerprint reader. Most modern Browsers are now compatible with WebAuthN and offer built-in WebAuthn Authenticators that can communicate with the Operating System to authorize a user.

An important feature of an WebAuthn Authenticator is that it connects with the client without using the Internet using the Client To Authenticator Protocol. You can use your Mobile Device as an WebAuthn Authenticator to log in to a website opened on your laptop, but the phone has to connect to your computer via Bluetooth Low Energy. This prevents any Man-In-The-Middle attacks on the data exchanged between the WebAuthn Client and WebAuthn Authenticator. Thanks to this, the WebAuthn Client can be sure it is really communicates with the WebAuthn Authenticator and that the data has not been tampered with.

WebAuthn Authenticators may be one or the other:

• Platform Authenticator
• Roaming Authenticator
• Virtual Authenticator

WebAuthn Authenticators may utilize:

• Biometric IdentificationCredential IDs are generated by WebAuthn Authenticators in two forms:
• At least 16 bytes that include at least 100 bits of entropy, or
• The Public Key credential source, without its Credential ID, encrypted so only its managing authenticator can decrypt it. This form allows the WebAuthn Authenticator to be nearly stateless, by having the WebAuthn Relying Party store any necessary state.human-palatable

More Information#

There might be more information for this subject on one of the following:

• Client To Authenticator Protocol
• FIDO Authenticator
• FIDO-CTAP
• Platform Authenticator
• Roaming Authenticator
• U2F device
• WebAuthN
• WebAuthn Attestation Statement Format Identifier
• WebAuthn Authenticator Model
• WebAuthn Extension Identifiers