As organizations leverage multi-factor authentication (MFA/2FA) to secure their employees, many consider using hardware security keys. Found to be the one of the most secure types of MFA, hardware keys, aka universal second factor (U2F) keys, rely on WebAuthn in order to be applied to web-based services. But what is WebAuthn anyways?
What is WebAuthn?
The Web Authentication API, colloquially known as WebAuthn, was created by the World Wide Web Consortium (W3C) and the FIDO (Fast IDentity Online) Alliance in collaboration with Microsoft, Google, Yubikey, Mozilla, et al. The protocol leverages public key cryptography to specifically authenticate access to web-based resources like applications and some Platform-as-a-Service and Infrastructure-as-a-Service (PaaS & IaaS) solutions.
Public Key Cryptography
When used for authentication, public key cryptography requires that a user present a pair of keys to gain access to a service: a public key and a private key. The public key is shared — usually within the services the user accesses — and is stored in relation to its respective user. When the user offers the private key upon login, the service combines it with the public key and checks the result against a stored value to authenticate the user.
Some forms of public key cryptography, like SSH keys, use complex digital keys that need to be managed. In contrast, WebAuthn can leverage physical hardware such as a USB drive that securely stores the private key until the user needs it. Regardless of how it’s implemented, public key cryptography is generally regarded as a more secure alternative to the username and password combination required at most logins.
Using WebAuthn as a Second Factor
Despite the fact that public key cryptography is more secure, the password prevails as the core authentication method for most services. With WebAuthn, IT admins can safeguard their users by adding an additional factor to their authentication process, often U2F keys.
Why Use U2F Security Keys and WebAuthn
Using WebAuthn to apply U2F keys to web resource access provides three core benefits to an organization. Let’s go over each below.
While evaluating several forms of 2FA and (Read more...)