WebAuthn Is Great and It Sucks
What is WebAuthn again?
First things first, let’s all agree that passwords suck, OK?
Good, glad we’re on the same page. Passwords are hard to remember, leading people to pick weak ones and reuse them over and over. Passwords are also easy to phish, with ever more subtle and believable attacks happening all the time.
WebAuthn—short for Web Authentication—promises to fix passwords on the web with a strong, simple, and un-phishable standard for secure authentication. WebAuthn at its heart is a credential management API built into modern web browsers allowing web applications to strongly authenticate users, and it’s now a World Wide Web Consortium standard.
How does WebAuthn do this? Public key cryptography, which allows you to strongly authenticate without a password. Using WebAuthn, you're able to use a single authenticator (like a Yubikey, for example) on any site that supports the standard. This way, as a user, you don't need to have passwords for every site you visit, just a strong authenticator that works with WebAuthn.
In addition to offering convenience, WebAuthn provides privacy, as one site can’t figure out from the authenticator what other sites you’ve used it for. Attackers also can’t capture and successfully replay the authentication request, so malicious sites can’t use it to attack the genuine sites, eliminating man-in-the-middle attacks. WebAuthn also allows you to choose your own authenticator, a device you already have (like a smartphone or computer) or an external authenticator like a USB security key.
Wow, sounds great!
OK, so I looked up WebAuthn and it’s full of acronyms!
You bet, let’s look at what they mean!
FIDO is short for Fast IDentity Online. The FIDO Alliance is an open industry association with hundreds of member companies, working to create authentication standards to help reduce the world’s over-reliance on passwords.
FIDO2 is the overarching term for the specifications from the World Wide Web Consortium (W3C) and the FIDO Alliance. It includes both WebAuthentication (web APIs for passwordless authentication in browsers) and CTAP protocols.
CTAP stands for Client To Authenticator Protocol. It describes how authenticators can implement second-factor and passwordless authentication. These authenticators can be built-in to devices like phones and laptops (on-device or platform authenticators), or they can be external ones (roaming authenticators or security keys) connecting over NFC, USB, and/or BLE.
CTAP2 is the new hotness. It enables you to use the new authenticators not only for second-factor authentication, but also for passwordless and multi-factor authentication.
CTAP1 is what used to be called FIDO U2F. It allows older U2F authenticators like security keys to continue to be used for second-factor authentication, i.e. as an extra step after a password.
Image copyright FIDO Alliance
Easy, right? Well, it could be a lot worse—just look at the OAuth 2.0 specifications!
If you want to see how WebAuthn works behind the scenes, watch this great video by James Fang and Payal Pan from Oktane 19.
Wait, why do I care again?
Great question! The key promise is …. *drum roll* strong passwordless authentication!
The older FIDO U2F protocols and security keys allow for strong and phishing-resistant second-factor experiences, but now we’re talking passwordless! Just think of how smooth and seamless that will be!
These new protocols make it possible to require even stronger authentication than the user presence test of U2F protocol, where you tap the security key to authenticate. With FIDO2, sites can require user verification at different levels from password or PIN tied to the security key all the way to on-device biometrics, such as fingerprint readers, Face ID, or Windows Hello. This can enable single-device multi-factor authentication, combining the possession factor (you have the authenticator) with a knowledge factor (you know the PIN) and/or inherent factors (your biometric, like fingerprint or faceprint matches).
Now, the biggest challenge in moving past passwords is the simple fact that it has been the lowest common denominator—the easiest and cheapest thing to implement. Passwords like we know them date back 59 years (!!) going back to MIT in 1961 with the CTSS operating system. Passwords are literally everywhere.
Every gizmo that has come since with a promise to eliminate the password has failed. There’s always been a platform, service, or system that didn’t support the latest new passwordless idea, and very few were ready to pay the cost of changing the servers, the operating systems, the applications, everything, just to get a non-compatible point solution. Passwords are cheap. Everything else is expensive.
Except now, with WebAuthn!
Everything supports WebAuthn! Great!
We are at a cusp of having universal support for WebAuthn! All major operating systems and browsers have now implemented WebAuthn.
As I write this in April 2020, a full 83% of all the browsers in use around the world support it, as you can see in this CanIUse report.
There are dozens of different FIDO2-compatible security keys available from companies like Yubico, Feitian, Google, Kensington, and others. And developers have built support into operating systems (iOS, Android, Windows, macOS) so you can use platform authenticators like Touch ID sensors on MacBooks and facial recognition and fingerprint sensors on PCs.
Victory, hooray! Let’s go and get a FIDO2 Security Key so we can use it everywhere!
Nothing supports WebAuthn! What?!
Except when you go to set it up, you will find that basically no major web application supports WebAuthn the way we envisioned here as replacement for the password! D’oh!
Web applications support WebAuthn fairly well as a second factor, backward compatible to FIDO U2F, but even that support remains far from universal.
Story time! I’ve always been more than a little paranoid, an occupational hazard having worked around web security for 20+ years. Outside of work, I already had a unique, complex, and non-Pwned password for each of the 562 websites and apps I have a login for (not counting the work apps behind Okta SSO of course). Yes, I use a password manager—I’m not an animal.
Let me recount my experience when I went to set up WebAuthn on every account whose security really matters to me! Passwords begone! Here are the results!
Let’s see the scoreboard
- GMail: Yes! But alas only as a U2F security key after password.
- Another email: No, but at least they support generic TOTP second factors.
- Apple iCloud: Proprietary multi-factor authentication, but that’s a different story.
- Cellular provider: LOL NOPE! Security PIN only and SMS, which they helpfully are willing to send to my kids’ phone numbers too in case they ever guess my password!
- Top modern robo advisor: No, but at least they support generic TOTP.
- Top online brokerage: No, but at least they support a proprietary third-party TOTP app.
- Top retirement account: LOL NOPE! SMS!
- Top-three credit card issuer: LOL NOPE! SMS!
- Another top-three credit card issuer: LOL NOPE! No strong authentication of ANY kind.
- Top-five bank: LOL NOPE! SMS! Or they’ll sell you a 90’s-style hardware TOTP token!
- Local credit union: LOL NOPE! They got nothing, but the last time I tried to log in my account was locked out, so good to know that somebody’s trying to brute-force my complex, globally unique password :)
- Online crypto currency wallet: Yes! But alas only as a U2F security key after password. Also, they block my FIDO2 platform authenticator and only allow USB security keys. And once you add a security key, you lose your TOTP! It’s one or the other!
- My DNS / hosting provider: Yes! But alas only as a U2F security key after password.
- Facebook: Yes, but just as a second factor, U2F mode.
- Twitter: Yes, but just as a second factor, U2F mode, and the settings are buried deep.
- Zoom: Nope. Just a well-hidden option to add a generic TOTP second factor.
- Dropbox: Yes, but just as a second factor, U2F mode.
So, the score is 0 (zero) out of 17 for going passwordless with WebAuthn. Sigh.
Or we could say the score is 6 out of 17, if we accept U2F mode using WebAuthn as a second factor.
Don’t banks want better security?
Well, they do, but they are not pushing end-user-visible and end-user-operated security tools, because today even the best ones like WebAuthn add friction in the form of inconsistencies and confusion. And as I’ll show you shortly, even with WebAuthn that friction is unfortunately real.
Any friction translates to confused and angry customers, which translates to millions of dollars in call-center cost and customer churn. Remember that even small banks have tens of thousands of users, large ones tens of millions! This is why banking security professionals focus so heavily on the invisible, back-end fraud detection and risk management tools. And if an attacker compromises an account and takes money, the bank can make the account holder whole again and treat it as a cost of doing business. Corporate banking portals dealing with big money transfers typically use strong authentication, as the user population is much smaller and more receptive to adopting security measures.
So, don’t look for consumer financial services to adopt passwordless WebAuthn first. That won’t happen until browsers and operating systems universally support it and not until the user experience is consistent and great.
Why can’t we have nice things?
So are WebAuthn and FIDO2 doomed to fail? And can it ever get us to passwordless?
Well, the technology doesn’t suck, the protocols work, the basic tech is kind of great, and you can and should use WebAuthn as a second-factor authenticator everywhere that matters! Security keys are one of the strongest practical authenticators available today, and they are useful for anyone who would ever get this far into a blog post like this.
The problem is, while they technically work, the user experience is broken.
Every website has a different path for setting things up. What the security settings are called and where they are found are wildly inconsistent from one website to the next.
Every browser and operating system presents the experience in a different-looking pane or slide-over. The terminology different browsers use is inconsistent and confusing.
Even the very few sites that support the full passwordless WebAuthn experience have to provide other options, so you have to click on a separate link for the passwordless path. And if you make a mistake during setup, the error messages can be less than helpful.
Therefore it is hard to recommend WebAuthn to the people we most want to help—our friends and family, children and parents. The way websites, browsers and OSs implement WebAuthn today does not pass my will-my-spouse-murder-me-in-my-sleep standard of deployability.
Can I get passwordless WebAuthn?
In short, probably not today. But it’s not hopeless!
Frankly, you might get passwordless first at work. Modern single sign-on providers make it possible to use WebAuthn and other modern authenticators in combination with risk scoring, device management, and other tools in the corporate IT tool box to enable end-to-end passwordless experiences. These corporate solutions, like Okta FastPass, combine on-device biometrics and device management solutions to get there. At work, we are eating our own dogfood with WebAuthn!
Outside of the workplace, across the 17 sites I looked to secure, I found none that yet supported a bona-fide WebAuthn passwordless experience.
So what should I do?
Don’t give up!
Even if we can’t have true passwordless today, adding WebAuthn as a strong second-factor authentication is absolutely worth it. I can use WebAuthn as a second factor at 6 of my 17 sites I checked. Not great, not terrible! Another 4 of the 17 support adding TOTP one-time passwords. Although technically these one-time passwords are phishable, the risk is vastly reduced if you’re using a password manager app as your TOTP authenticator as well, as the password manager won’t autofill your credentials to the phishing site.
So using WebAuthn as a second-factor authenticator is definitely worth it and user experience is fairly seamless when combined with password managers.
But how do we ever get to the promised WebAuthn passwordless world?!
Let’s keep the pressure on the browser and operating system vendors and ask for consistency. Ask Chrome, Firefox, and Safari to standardize their naming conventions for a better user experience!
And on the other hand, let’s keep the pressure on the websites that don’t support strong authentication at all and more specifically, let’s push websites that don’t support security keys to add that support.
If you’re an IT administrator and want to support WebAuthn for your employee access, it’s easy to do with modern SSO providers like Okta.
And if you’re one of the people who builds these websites, consider adding WebAuthn support to it! The frameworks are there and ready for you to use, see Yubico’s WebAuthn developer guide and this talk for examples. With just a little more design and usability polish, we can all win!
Thanks for reading and stay safe!