New standards for passwordless authentication: how they work

    Last week, two new standards for passwordless authentication were published on sites, in mobile and web applications: WebAuthn API and CTAP. Both have been approved by Microsoft, Mozilla, and Google.

    We will tell you more about them below. / Flickr / Mark Burnett / SS WebAuthn is the result of a collaboration of the W3C and FIDO Alliance consortia. The first is engaged in the introduction of technological standards for the Internet, and the second is in the development and improvement of reliable authentication standards on the network. Work on the WebAuthn standard began back in 2015, when FIDO transferred the FIDO2 specification group to the W3C consortium. Subsequent versions of the FIDO 2.0 Web API allow






    users log in to Google, Facebook, Dropbox, GitHub and others using secret tokens.

    WebAuthn works on the same principles as the FIDO 2.0 Web API, but it supports many other authentication methods. The new standard gives users the ability to identify themselves in network applications and sites by fingerprint, face, retina and other biometric indicators.

    Also, the FIDO Alliance has developed a new CTAP (Client-to-Authenticator Protocol) authentication protocol that allows users to be identified using external security keys (such as USB keys) or mobile devices.

    Standards have already been approvedrepresentatives of Microsoft, Apple, Google, PayPal and others. This means that they will soon begin to integrate into the IT ecosystem. In particular, the W3C consortium has already encouraged developers to begin work on WebAuthn implementations.


    / The Flickr / of Christiaan Colen / CC

    How WebAuthn Works


    The sequence of user actions during authentication using the new standard is as follows:

    1. The user logs on to example.ru via a computer or laptop and sees the option “Log in using the phone”.
    2. The user selects this option and receives a message from the browser "Please log in on your phone."
    3. The notification “Log in to example.ru” comes to the phone.
    4. When you click on the notification, a list of accounts appears, from which the one you need is selected.
    5. Next, there is an authorization request (scan your finger, enter a PIN code, etc.), and if successful, the site opens on a computer / laptop.

    Login data belongs to the user, and is controlled by the authenticator, with which a service using WebAuthn interacts through a browser and OS. With the help of scripts, operations are performed to create new login data or authentication is carried out on existing ones. Scripts do not have access to user data, but only receive information about them in the form of objects.

    The standard is based on two basic methods responsible for registration and login: navigator.credentials.create () and navigator.credentials.get () . With their help, WebAuthn logs credentials on the server and then uses them to authenticate the user.

    • Navigator.credentials.create () creates access details either when registering an account or for associating a new asymmetric key pair with an existing account.
    • Navigator.credentials.get () uses the already known access details for authentication on the service.

    Both methods require a secure connection (e.g. https). In fact, during operation they receive a long number from the server called challenge, and then pass it back, signing it with the private key. This proves to the server that the user has the private key necessary for authentication. Therefore, disclosing additional secrets over the network is not necessary.

    At the same time, user data for login is associated with a unique ID. This ID is then transmitted by the client to the authenticator during each operation to ensure that everything passes exclusively within the framework of the identified service.

    About CTAP


    CTAP protocol conceptually consists of three layers: Authenticator API, Message Encoding and Transport-specific Binding.

    At the Authenticator API abstraction level, each operation is defined as an API call - accepts input parameters and returns a result (or error). The following methods are used here: authenticatorMakeCredential to generate new input, authenticatorGetAssertion to confirm authentication, and authenticatorCancel to cancel all current operations.

    At the Message Encoding level, all requests to the Authenticator API are generated and encrypted. The host must create and encrypt the request and send it to the authenticator using the selected transport protocol.

    As for the Transport-specific Binding level, here requests and responses are transmitted to external authenticators using USB, NFC, Bluetooth, etc.

    Who is implementing


    The 60th release of Firefox and the 67th release of Chrome (coming out in May) will support WebAuthn. Microsoft announced this specification in February in the Edge browser and Windows Hello, an integrated credential authentication system.

    Companies are convinced that innovations in browsers will increase protection against phishing, intermediary attacks (MITM) and replay attacks.

    Apple has not yet commented on the support for the standard in Safari, but some of its engineers are part of the WebAuthn working group. Therefore, we can expect that news on the implementation of new standards will appear soon.

    Michael Jones, director of Microsoft partnerships and one of the editors of the WebAuthn specification, said: “Implementing WebAuthn is a big step towards practical, strong, and reliable storage of authentication data on the network.”

    Some materials from our corporate blog:


    Also popular now: