Using WebAuthn to Enforce MFA

Written by Daniel Fay on October 6, 2020

Share This Article

Requiring strong passwords alone is not enough to secure your organization’s resources. Introducing additional layers via multi-factor authentication (MFA) requires additional verifications before users are allowed access. There are many flavors of MFA, such as TOTP, Push, SMS, Email, and WebAuthn — each with their own advantages and disadvantages. In this article we’ll explore one of the easiest for end-users, WebAuthn.

Authentication can be comprised of three different components: what you know, what you have, and who you are.

What You Know

The security concept of what you know is an initial verification of a password. Any security focused administrator will tell you the starting point of securing an organization is to enforce strong password policies. Minimum length, complexity, history, and aging are the basic starting points to creating healthy passwords. Passwords are used by users to access the different resources, applications, and systems they need access to. Although strong password policies are a fundamental building block for secure environments, passwords alone only provide one verification of the authenticating user.

According to a recent study, Verizon® had found that over 67% of data breaches were due to credential theft, and social attacks (e.g phishing/spear-phishing). Malicious external parties will never cease their efforts to obtain users’ passwords. In order to help bar this from occurring, introduction of additional authentication layers such as MFA can help achieve a second verification before allowing access. This is where MFA helps by verifying what you have and who you are to secure accounts even further than password authentication alone.

Only users should know their password and never publicly share. If something were to happen to the password, additional layers should be enforced such as TOTP, Push, or WebAuthn. 

What You Have

The security concept of what you have is a secondary verification of something you and only you possess. This may be your phone or possibly a hardware key (eg. Yubikey® or Google® Titan®). Requiring these secondary factors ensures that if a user’s credentials were to be leaked or compromised, that the account could still remain safe due to not having the TOTP token, cellphone, or security key.

Better still would be to approach the concept of checking who you are via embedded biometric using WebAuthn. Users always want the simplest way to get access to their resources. For years, security and usability have been in an inverse relationship. This is no longer the case with the introduction of protocols such as U2F and WebAuthn. Using these MFA protocols, admins can lock down resources based on WebAuthn security keys both external and embedded. 

Who You Are

The security concept of who you are is an alternate verification of your physical identity. Current devices such as MacBooks® and Windows® laptops are being built with fingerprint readers baked into the hardware. This makes authentication tied to the biological identity of the user. When paired with a strong password, WebAuthn via fingerprint readers makes for an easy secure end-user experience. Simply type in your password, verify your fingerprint, and access is granted.

The JumpCloud® directory platform supports WebAuthn MFA for the hundreds of critical SSO applications your organization might be using. Devices running Linux®, macOS®, and Windows are covered under JumpCloud’s device management capabilities and MDM. Combining device management with identity management, users only need to remember one strong password and use the embedded fingerprint reader on their laptop to access their system along with their applications to get work done.

Try JumpCloud Free

Over 100,000 organizations use JumpCloud today for their cloud directory and identity access management needs. Set up a JumpCloud Free account today for unrestricted access to the platform, which you can use to manage up to 10 users and 10 systems for free. New accounts also receive 10 days of premium in-app chat support to help get you going. Evaluate JumpCloud and implement WebAuthn today!

Continue Learning with our Newsletter