WebAuthn for developers: 5 steps to better authentication

Passwords are a well-known weak link in the security chain. Users tend to choose easily guessable passwords and, even when they create strong ones, often reuse them, allowing a single breach to compromise multiple accounts.

An effort by the World Wide Web Consortium to standardize on a common way for browsers to provide access to strong authentication could eventually reduce the need for passwords. Called Web Authentication, or WebAuthn (pronounced "web-auth-en"), the proposal will give websites and applications a standard API for strongly authenticating users using a mobile phone or other device, or a biometric.

The specification promises to change the way users log into online services and web applications, but only if developers follow the guidelines, said Phil Dunkelberger, CEO of Nok Nok Labs, which has worked on the effort for the last five years. "You are trying to stop using usernames and passwords, which we know are broken," he said. "You are trying to stop SMS, which we know is broken."

"You are trying to stop scalable attacks. You are trying to get better usability to the end users. And all of that will be left up to the developers."
Phil Dunkelberger

WebAuthn is rapidly gaining popularity. In March, the World Wide Web Consortium released its recommended candidate for a standard to allow web browsers to create and use public-key credentials to add strong authentication and even replace passwords.

The effort involves all the major browser vendors—Google, Microsoft, and Mozilla—along with companies interested in improved web security, such as Nok Nok Labs, PayPal, Qualcomm, and Yubico. Mozilla, for example, integrated WebAuthn into Firefox 60, released on May 9.

Here are the five key best practices every developer should follow.

Application Security Research Update: The State of App Sec in 2018

1. Heed WebAuthn's opinion

WebAuthn is an "opinionated" specification. While the standard is flexible in many ways, it is strict in how it handles cryptographic signatures and hashes, said Dave Camp, vice president of engineering for Mozilla's Firefox.

"The end game here is to provide a secure alternative to passwords, using web-based technology," Camp said. "Best practices for web authentication are outlined in the specification, and developers should refer to it to ensure that implementation is done in the most secure manner."

2. Avoid replay attacks and cloning

To prevent an authenticator from being cloned, or to mitigate the threat, there is a counter that is incremented every time the user logs in. The counter is managed by the authentication, which, if it were cloned, should exhibit suspicious behavior, said Duo Labs' Barclay.

"If that number stayed the same twice, or if it decreased suddenly, you would know that something was wrong," he said. "So make sure you are keeping track of the signature count."

Most toolkits and web frameworks supporting WebAuthn will do this automatically, but the developer should ensure the counter has been checked. And if devs are writing the code themselves, it is an important feature to include.

3. Focus on user experience

Good security needs to be easy to use. WebAuthn allows developers to more easily accept a range of authenticators to access their application or service. Better yet, applications can request the easiest-to-use authenticators and save more onerous measures for situations that seem anomalous.

"There are standard Firefox notifications that are shown to the user when a website uses WebAuthn, and developers have the flexibility to customize the exact flow to their login scenarios," said Mozilla's Camp.

4. Plan ahead for token loss

Moving to WebAuthn can be difficult for services that already have an established group of two-factor authentication users. Developers have to take care when moving to the more restrictive origin policies of WebAuthn, especially if they are also making use of the extensions for backward compatibility, Camp said.

In addition to dealing with transitioning the token and keys, developers have to consider how to deal with lost tokens, he said.

"For most developers, the biggest hurdle is deciding how to handle users losing their security key."
—Dave Camp

There are a number of recovery flows in use today, all with different tradeoffs, he said. Some of these recovery techniques include providing backup codes, enrolling a phone number, and contacting support. "Deciding what works best for their users will likely take more effort than invoking the Web Authentication API," he said.

5. Dynamically scale authentication

Service providers can allow users to log into their accounts using device authentication through WebAuthn, and only if there is an anomaly—such as a new IP address or a new device—will the service provider have to dynamically scale up its authentication requirements.

The end result is better usability and better security, said Nok Nok's Dunkelberger.

"Whether it is a browser or a hardware token, you have a single standard that supports all those different modalities," he said. "If you want to use a strong security-based standard to get rid of passwords and support better ease of use, you now have a standard supported by all these industry people."

Get up to speed on WebAuthn

Developers should educate themselves and get familiar with the new specification before integrating it into their applications, because they need to follow a series of steps, said James Barclay, senior research and development engineer at Duo Labs, an authentication provider. The steps are not hard, but if you are implementing it yourself it can be easy to make a mistake.

If a developer fails to account for replay attacks or check the validity of the authenticator, for example, an attack is possible, he said. 

"If you are not doing all the steps that are outlined in the specification for relying parties, then the security of the system is defeated."
James Barclay

WebAuthn may not totally eliminate passwords, but it will certainly reduce password use.

Share your team's experience with WebAuthn in the comments below.

Topics: Security