Geekly Articles each Day
📜 ⬆️ ⬇️

Web Authentication API standard: passwordless web authentication



In March 2018, the FIDO Alliance (Fast IDentity Online) and the W3C Consortium reached an important milestone: after two years of development, the Web Authentication standard (WebAuthn) received recommendation recommendation (CR) status — a stable version of the document that is no longer planned to be changed. . Discussion CR ended May 1st.

What's next? Now it's Google, Mozilla and Microsoft. When Web Authentication API support is independently and compatible implemented in two browsers, the standard will get the status of a suggestion recommendation. At this point, all proposals from the community will be considered - and the document will be submitted to the W3C Advisory Council for final approval.

Note that in addition to Web Authentication API, the FIDO AppID support for the validation of the framework of extensions is also independent and compatible in two browsers. The remaining extensions can be excluded from the standard at the last stage before approval, if they are not compatible and independently implemented in two browsers.
')
So, the standard is almost accepted. Representatives of the FIDO Alliance are confident that Google, Mozilla and Microsoft will promptly implement support for the corresponding API in browsers on Windows, Mac, Linux, Chrome OS and Android platforms, the work is already underway. The Web Authentication Working Group includes representatives from more than 30 organizations , including the developers of all leading browsers — so their support will not take long to wait. At this stage, the working group is inviting web services and application developers to implement WebAuthn .

What will the new standard give developers and ordinary users?

WebAuthn installs a standard API that is supported in browsers and related web platforms.

User Benefits




Three ways of passwordless authentication in the Azure cloud using the YubiKey token : one of the first practical implementations of the new Web Authentication API standard

WebAuthn was developed in conjunction with the FIDO (Fast IDentity Online) Alliance and becomes a key component of the FIDO2 project , along with the Client to Authenticator Protocol (CTAP) specifications for device-to-device authentication between devices.

Universal Authenticator


Using the CTAP protocol, an external authenticator (for example, a cryptographic token) transfers the encrypted credentials to a local device connected to the Internet (computer or mobile phone) via USB, Bluetooth or NFC.



Thus, the FIDO2 specifications provide simple and reliable authentication in online services through a desktop computer or mobile device. The most important thing is that it is unified authentication, which does not depend on the platform, browser, service, etc. The only authenticator should work everywhere where the Web Authentication API standard and the corresponding protocols are supported. This is a serious claim against password leakage, phishing, MiTM attacks and other serious information security issues. What can I say, even if Twitter recently found a bug, because of which all user passwords were written to the logs in clear text . The security situation on the Internet leaves much to be desired, and the usual password protection cannot be trusted.

“Security has long been a problem that prevents many of the positive effects that the Internet has for society. Although there are many problems with web security, and everything is not fixed, but reliance on passwords is one of the weakest links. With WebAuthn's multi-factor solutions, we eliminate this weak link, ” said W3C CEO Jeff Jaffe. “WebAuthn will change the way people work on the web.”

In fact, we are on the verge of a new era of ubiquitous hardware authentication to protect every Internet user.

Of course, the universal distribution of authenticators is far away. Right now we see only the first examples of how support for the Web Authentication API is being implemented and how it works in practice.

One of the first demonstrations of the Web Authentication API in action was organized by Microsoft and the manufacturer of tokens Yubico in the project on passwordless authentication in the Azure cloud using the token YubiKey. This recently released FIDO2 authentication token, which is supported in Windows 10 and Microsoft Azure Active Directory (Azure AD). At the time of release in April 2018, the feature was available only to subscribers of the Microsoft Technology Adoption Program. And this token YubiKey became the first on the market with FIDO2 support.


The adoption of FIDO2 as part of the universal Web Authentication API standard will expand the use of FIDO authenticators, which have been used in separate solutions for several years. FIDO2-enabled browsers and web services will be backward compatible with previously certified FIDO keys for password-free UAF authentication, and U2F two-factor authentication.



FIDO2 is an advanced version of the original FIDO Universal 2nd Factor (U2F) standard created by Yubico and Google . While U2F required the mandatory use of a username and password, FIDO2 supports more use cases, including passwordless schemes.

Passwordless authentication using FIDO2 can be both single-factor and two-factor authentication: the same YubiKey tokens support hardware pincodes that are unknown to the server, unlike regular smart cards. Thus, the token consists of two authentication factors: the factor “what you have” (the device itself) and “what you know” (the pincode).

Unfortunately, passwordless authentication has its drawbacks. For example, in case of loss of the token YubiKey, only the backup key will help (if the user made it). But in this case, you need to pre-register a backup key on all services, so that you can later revoke the previous (lost) key. However, the Web Authentication platform supports various authenticators, so that the user will be able to log in to the service in a different way.

So, it now remains to wait for Google, Mozilla and Microsoft to introduce full support for Web Authentication and FIDO2 on all platforms. All three companies announced full Web Authentication API support for Firefox, Chrome and Edge, respectively. The representative of Opera Software is also in the Web Authentication Working Group.

Then developers of websites and various services will connect to the process. Each user will be able to choose which method of passwordless authentication is more convenient for him to use for authorization on sites: a finger scanner, a token like YubiKey, or something else.

In the near future, the FIDO Alliance will begin certification of servers, clients and authenticators according to the FIDO2 specification. Appropriate tools for testing are available on the official website . Help resources for developers here . The company Yubico posted a beta version of the server code for the sample server support for CTAP2 / WebAuthn: libraries in C , Python and Java .


We announce the action “More cyber defense to sports”!
image

GlobalSign joins the celebration of the most ambitious event of all athletes and football fans - WORLD FOOTBALL CHAMPIONSHIP 2018 and GIVEN 1 YEAR SSL PROTECTION! *

Terms of action:
* When you purchase any one - year DV-OV or EV -level SSL certificate , you get the second year as a gift.
• The promotion applies to all sites of sports.
• The promotion is valid only for new orders and does not apply to partners.
• To take advantage of the offer, send a request on the website with the promotional code: SL003HBFR .

The promotion will last until July 15, 2018.

You can get additional information on the promotion from GlobalSign Russia managers by phone: +7 (499) 678 2210.

MORE PROTECTION with GlobalSign!

Source: https://habr.com/ru/post/358622/

More articles:


All Articles