WebAuthn
WebAuthn is a standard published by the World Wide Web Consortium (W3C) for a programming interface with which web applications and websites can offer their users direct authentication using a public key method in the web browser . This can significantly simplify the user experience and dispense with the multitude of individual passwords for each website. The prerequisite is that the web browser can securely access an authenticator in or on the user's device. Many modern smartphones or laptops offer this in the form of fingerprint sensors or face recognition. The standard enables web developers to use a WebAuthn-compatible web browser to access an authenticator for safer and easier use of their services. This gives the web developer a significant security advantage, as he may no longer have to manage customer passwords and protect them from access by third parties.
technical description
WebAuthn is a core component of the FIDO2 project within the W3C with close involvement of the FIDO alliance .
On the client side, support for WebAuthn can be implemented in various ways. The underlying cryptographic operations are carried out by an authenticator. This is an abstract functional model that is mostly uninvolved with regard to the management of the key material. This makes it possible to implement support for WebAuthn in software only, using a processor's trusted execution environment or a Trusted Platform Module (TPM).
Sensitive cryptographic processes can also be transferred to a roaming hardware authenticator, which in turn can be accessed via USB , Bluetooth Low Energy or Near Field Communication (NFC). A roaming hardware authenticator corresponds to the Client to Authenticator Protocol (CTAP) of the FIDO client, which means that WebAuthn is effectively backwards compatible with the FIDO standard U2F (Universal 2nd Factor).
Similar to the old U2F, web authentication is also a traceable impersonation, i.e. it is resistant to active man-in-the-middle attacks , but unlike U2F, WebAuthn does not require a conventional password. In addition, a roaming hardware authenticator is resistant to malware , since software cannot access the private key material for the host computer at any time.
The WebAuthn Level 1 standard was published on March 4, 2019 as a recommendation by the World Wide Web Consortium (W3C). A level 2 specification is under development.
Windows 10 and Android can use Webauthn. Webauthn is already supported by the browsers Firefox, Chrome / Chromium, Safari (on macOS) and Edge.