|
|
|
# WebAuthn
|
|
|
|
Published on 4 March 2019, the WebAuthn standard details an API for accessing public key credentials. WebAuthn is an integral component of the FIDO2 (Fast IDentity Online) Project, which aims to create a strong authentication solution for the internet.
|
|
|
|
|
|
|
|
## How It Works
|
|
|
|
The WebAuthn standard has three components -
|
|
|
|
- The website, a *WebAuthn Relying Party*
|
|
|
|
- The browser, a *WebAuthn Client*
|
|
|
|
- The authenticator, a *FIDO2 authenticator* (E.g. YubiKey, Google Authenticator, Windows Hello)
|
|
|
|
|
|
|
|
### Registration
|
|
|
|
A fairly regular registration form is presented to the user by the website, the user completes the signup and the browser requests the user to connect their authenticator. The authenticator then signs an attestation statement with its private key. This statement, along with its public key and some metadata describing the authenticator is sent to the website.
|
|
|
|
|
|
|
|
### Authentication
|
|
|
|
The website begins authentication with the browser. The browser then prompts the user to connect their authenticator and then proceeds to communicate with it via a JavaScript API. The authenticator signs an authentication assertion that is then verified by the server using the users public key.
|
|
|
|
|
|
|
|
## Support
|
|
|
|
As of 18 April 2019, the WebAuthn standard is supported by -
|
|
|
|
|
|
|
|
- Firefox (Version >= 60)
|
|
|
|
- Google Chrome (Version >= 67)
|
|
|
|
- Microsoft Edge (Build 17682)
|
|
|
|
- Support for Windows Hello
|
|
|
|
- Apple Safari (preview)
|
|
|
|
- Opera Web Browser
|
|
|
|
|
|
|
|
Dropbox has announced support for WebAuthn as a second factor as of 8 May 2018.
|
|
|
|
|
|
|
|
## Criticism
|
|
|
|
Paragon Initiative Enterprises performed a security audit of the WebAuthn standard in August 2018. Through the course of the audit, no specific exploits were identified, however they did reveal several weaknesses in the underlying cryptography.
|
|
|
|
|
|
|
|
- WebAuthn supports RSA with PKCS1v1.5 padding. While difficult to exploit under the given conditions of the standard, this scheme has had known vulnerabilities for at least twenty years. [[Adaptive Chosen-Ciphertext Attack](https://en.wikipedia.org/wiki/Adaptive_chosen-ciphertext_attack)]
|
|
|
|
- The FIDO alliance decided to use the encryption scheme ECDAA, which does not make use of some of the newer information available on elliptic curve cryptography.
|
|
|
|
- While the WebAuthn standard was being developed, the proposal was not made public and cryptographers were not asked for input. It remains to be seen if the standard will hold against academic criticism.
|
|
|
|
|
|
|
|
With all of this in consideration, Paragon Initiative Enterprises continues to encourage users to make use of the WebAuthn standard. Additionally they have made some recommendations for implementation that they hope will be implemented prior to the standard being finalized. |
|
|
|
\ No newline at end of file |
