New standards for passwordless authentication: how they work
Last week, two new standards were published for password-free authentication on websites, in mobile and web applications: WebAuthn API and CTAP. Both have been approved by Microsoft, Mozilla and Google.
More details about them below.
/ Flickr / Mark Burnett / SS
')
WebAuthn is the result of the collaboration of the W3C and FIDO Alliance consortia. The first deals with the implementation of technology standards for the Internet, and the second with the development and improvement of reliable standards for network authentication.
Work on the WebAuthn standard began in 2015, when FIDO transferred the FIDO2 specification group to the W3C consortium. Subsequent versions of the FIDO 2.0 Web API allow users to log in to Google, Facebook, Dropbox, GitHub and others using secret tokens.
WebAuthn works on the same principles as the FIDO 2.0 Web API, but it supports many other authentication methods. The new standard gives users the ability to identify themselves in network applications and on sites by fingerprint, face, retina, and other biometrics.
Also, the FIDO Alliance developed the CTAP (Client-to-Authenticator Protocol) authentication protocol, which allows users to be identified using foreign security keys (for example, USB keys) or mobile devices.
Standards have already been approved by representatives of Microsoft, Apple, Google, PayPal, etc. This means that they will soon begin to integrate into the IT ecosystem. In particular, the W3C consortium has already urged developers to start working on WebAuthn implementations.
/ Flickr / Christiaan Colen / CC
The sequence of user actions during authentication with the help of the new standard is as follows:
The login data is owned by the user, and is managed by an authenticator with whom the service using WebAuthn interacts with the browser and the OS. With the help of scripts, the operations of creating new data for entry are performed or authentication over existing ones is implemented. Scripts do not have access to user data, but only receive information about them in the form of objects.
The standard is based on two basic methods responsible for registration and login: navigator.credentials.create () and navigator.credentials.get () . With their help, WebAuthn registers login data (credentials) on the server and then uses it to verify the "authenticity" of the user.
Both methods require a secure connection (for example, https). In fact, during operation, they receive a long number from the server, which is called a challenge, and then they transfer it back by signing it with a private key. This proves to the server that the user has the necessary private key for authentication. Therefore, there is no need to disclose additional secrets on the network.
At the same time, user data for login is associated with a unique ID. This ID is then transmitted by the client to the authenticator during each operation to ensure that everything passes exclusively within the identified service.
The CTAP protocol conceptually consists of three levels: Authenticator API, Message Encoding, and Transport-specific Binding.
At the level of abstraction of the Authenticator API, each operation is defined as an API call — it accepts input parameters and returns a result (or error). The following methods are used here: authenticatorMakeCredential for generating new input data, authenticatorGetAssertion for confirming authentication, and authenticatorCancel for canceling all current operations.
At the Message Encoding level, all requests to the Authenticator API are generated and encrypted. The host must create and encrypt the request and send it to the authenticator using the selected transport protocol.
With regard to the level of Transport-specific Binding, here requests and responses are transmitted to external authenticators using USB, NFC, Bluetooth, etc.
The 60th release of Firefox and the 67th release of Chrome (coming out in May) will support WebAuthn. Back in February, Microsoft announced this specification in the Edge and Windows Hello browser, an integrated credential authentication system.
Companies are convinced that innovations in browsers will increase protection against phishing, intermediary attacks (MITM) and replay attacks.
Apple has not yet commented on the support of the standard in Safari, but some of its engineers are part of the WebAuthn working group. Therefore, it can be expected that news about the introduction of new standards will appear soon.
Michael Jones, director of Microsoft partnerships and one of the editors of the WebAuthn specification, said: "The implementation of WebAuthn is a big step towards practical, robust and reliable authentication data in the network."
More details about them below.
/ Flickr / Mark Burnett / SS
')
WebAuthn is the result of the collaboration of the W3C and FIDO Alliance consortia. The first deals with the implementation of technology standards for the Internet, and the second with the development and improvement of reliable standards for network authentication.
Work on the WebAuthn standard began in 2015, when FIDO transferred the FIDO2 specification group to the W3C consortium. Subsequent versions of the FIDO 2.0 Web API allow users to log in to Google, Facebook, Dropbox, GitHub and others using secret tokens.
WebAuthn works on the same principles as the FIDO 2.0 Web API, but it supports many other authentication methods. The new standard gives users the ability to identify themselves in network applications and on sites by fingerprint, face, retina, and other biometrics.
Also, the FIDO Alliance developed the CTAP (Client-to-Authenticator Protocol) authentication protocol, which allows users to be identified using foreign security keys (for example, USB keys) or mobile devices.
Standards have already been approved by representatives of Microsoft, Apple, Google, PayPal, etc. This means that they will soon begin to integrate into the IT ecosystem. In particular, the W3C consortium has already urged developers to start working on WebAuthn implementations.
/ Flickr / Christiaan Colen / CC
WebAuthn working principle
The sequence of user actions during authentication with the help of the new standard is as follows:
- A user enters the site example.ru through a computer or laptop and sees the option “Login using the phone”.
- The user selects this option and receives a message from the browser "Please log in on your phone."
- The phone receives a notice "Enter the site example.ru".
- When you click on the notification, a list of accounts appears, from which the desired one is selected.
- Next, there is an authorization request (scan a finger, enter a PIN code, etc.), and if successful, the site opens on a computer / laptop.
The login data is owned by the user, and is managed by an authenticator with whom the service using WebAuthn interacts with the browser and the OS. With the help of scripts, the operations of creating new data for entry are performed or authentication over existing ones is implemented. Scripts do not have access to user data, but only receive information about them in the form of objects.
The standard is based on two basic methods responsible for registration and login: navigator.credentials.create () and navigator.credentials.get () . With their help, WebAuthn registers login data (credentials) on the server and then uses it to verify the "authenticity" of the user.
- Navigator.credentials.create () creates access details either when registering an account or for associating a new asymmetric key pair with an already existing account.
- Navigator.credentials.get () uses the already known access credentials for authentication on the service.
Both methods require a secure connection (for example, https). In fact, during operation, they receive a long number from the server, which is called a challenge, and then they transfer it back by signing it with a private key. This proves to the server that the user has the necessary private key for authentication. Therefore, there is no need to disclose additional secrets on the network.
At the same time, user data for login is associated with a unique ID. This ID is then transmitted by the client to the authenticator during each operation to ensure that everything passes exclusively within the identified service.
About CTAP
The CTAP protocol conceptually consists of three levels: Authenticator API, Message Encoding, and Transport-specific Binding.
At the level of abstraction of the Authenticator API, each operation is defined as an API call — it accepts input parameters and returns a result (or error). The following methods are used here: authenticatorMakeCredential for generating new input data, authenticatorGetAssertion for confirming authentication, and authenticatorCancel for canceling all current operations.
At the Message Encoding level, all requests to the Authenticator API are generated and encrypted. The host must create and encrypt the request and send it to the authenticator using the selected transport protocol.
With regard to the level of Transport-specific Binding, here requests and responses are transmitted to external authenticators using USB, NFC, Bluetooth, etc.
Who implements
The 60th release of Firefox and the 67th release of Chrome (coming out in May) will support WebAuthn. Back in February, Microsoft announced this specification in the Edge and Windows Hello browser, an integrated credential authentication system.
Companies are convinced that innovations in browsers will increase protection against phishing, intermediary attacks (MITM) and replay attacks.
Apple has not yet commented on the support of the standard in Safari, but some of its engineers are part of the WebAuthn working group. Therefore, it can be expected that news about the introduction of new standards will appear soon.
Michael Jones, director of Microsoft partnerships and one of the editors of the WebAuthn specification, said: "The implementation of WebAuthn is a big step towards practical, robust and reliable authentication data in the network."
Some materials from our corporate blog:
Source: https://habr.com/ru/post/353966/
All Articles