As organizations leverage multi-factor authentication (MFA/2FA) to secure their employees, many consider using hardware MFA devices. Found to be the one of the most secure types of MFA, hardware keys, aka universal second factor (U2F) keys, rely on WebAuthn in order to be applied to web-based services. But what is WebAuthn anyways?
What is WebAuthn?
The Web Authentication API, colloquially known as WebAuthn, was created by the World Wide Web Consortium (W3C) and the FIDO (Fast IDentity Online) Alliance in collaboration with Microsoft, Google, Yubikey, Mozilla, et al. The protocol leverages public key cryptography to specifically authenticate access to web-based resources like applications and some Platform-as-a-Service and Infrastructure-as-a-Service (PaaS & IaaS) solutions.
Public Key Cryptography
When used for authentication, public key cryptography requires that a user present a pair of keys to gain access to a service: a public key and a private key. The public key is shared — usually within the services the user accesses — and is stored in relation to its respective user. When the user offers the private key upon login, the service combines it with the public key and checks the result against a stored value to authenticate the user.
Some forms of public key cryptography, like SSH keys, use complex digital keys that need to be managed. In contrast, WebAuthn can leverage physical hardware such as a USB drive that securely stores the private key until the user needs it. Regardless of how it’s implemented, public key cryptography is generally regarded as a more secure alternative to the username and password combination required at most logins.
Using WebAuthn as a Second Factor
Despite the fact that public key cryptography is more secure, the password prevails as the core authentication method for most services. With WebAuthn, IT admins can safeguard their users by adding an additional factor to their authentication process, often U2F keys.
Why Use U2F Security Keys and WebAuthn
Using WebAuthn to apply U2F keys to web resource access provides three core benefits to an organization. Let’s go over each below.
While evaluating several forms of 2FA and their efficacy, Google Security blog found that physical security keys are nearly 100% effective at denying a takeover by a bad actor, even one that is specifically targeting a user. Compared to other popular 2FA methods, physical security keys rank as the most secure.
WebAuthn requires the end user’s unique U2F key be physically plugged into the machine, so it’s virtually impossible for a bad actor to crack the user’s account without stealing the physical key. In addition, some U2F keys leverage a fingerprint reader, requiring end user biometrics which are even harder to crack.
Ease of Use
In spite of the security benefits 2FA generally provides, some end users find that entering in an additional auth factor, like a time-sensitive code from their phone, eats into their productivity. Many top U2F keys only need to be plugged into the user’s laptop and interacted with upon login, depending on the key used.
Some keys have a button that end users press after entering their credentials; others require a quick finger swipe for biometric authentication. Either way, U2F keys simplify the end user experience, making MFA just a touch away.
WebAuthn is API-driven, meaning it integrates well with most web applications. In a day and age where organizations are free to choose the SaaS solutions that best fit their needs, WebAuthn provides 2FA to practically any choice of app.
How to Implement WebAuthn for MFA
IT organizations can leverage a cloud directory service to require hardware MFA for access to web applications. Directory-as-a-Service offers preconfigured WebAuthn-guarded access to its User Portal. There, employees can securely access their web applications through SAML 2.0 single sign-on (SSO) with Just-in-Time (JIT) and SCIM provisioning to hundreds of supported apps. Thus access to your web applications can be secured with U2F whether that particular application supports Webauthn or not.
If you’d like to learn more about how the process works, check out this article. By signing up for a free JumpCloud account, you can follow along with the article, and then see what else Directory-as-a-Service has to offer once you’re done.