{"id":8021,"date":"2022-01-10T10:14:13","date_gmt":"2022-01-10T10:14:13","guid":{"rendered":"https:\/\/emtunc.org\/blog\/?p=8021"},"modified":"2022-01-10T10:14:14","modified_gmt":"2022-01-10T10:14:14","slug":"webauthn-the-future-of-strong-user-authentication","status":"publish","type":"post","link":"https:\/\/emtunc.org\/blog\/01\/2022\/webauthn-the-future-of-strong-user-authentication\/","title":{"rendered":"WebAuthn – the future of strong user authentication"},"content":{"rendered":"\n

Web Authentication<\/em>, or WebAuthn<\/em> is a standard for strong user authentication and is a core part of the FIDO2 specification. I’m not going to go into too much technical detail about the spec in this blog because there already exists a plethora of awesome documents and demonstrations which explain WebAuthn better than I ever could; I’ll include those in the Additional Reading<\/em> section below.<\/p>\n\n\n\n\n\n\n\n

What is WebAuthn?<\/h2>\n\n\n\n

Phishing is still one of the (if not the<\/em>) most common entry point into organisations today. The reason it’s the most common attack vector is because it’s fairly simple to carry out; even by low-skilled criminals.<\/p>\n\n\n\n

WebAuthn is a modern authentication standard designed to mitigate against this threat. It also helps mitigate against man in the middle (MiTM)<\/em> attacks where the attacker is able to manipulate network traffic.<\/p>\n\n\n\n

In the WebAuthn world, you have two types of authenticator<\/em>. A roaming authenticator<\/em> and a platform authenticator<\/em>. Roaming authenticators<\/em> are cross-platform authenticators; they usually come in the form of FIDO2 capable USB security keys like YubiKeys. Platform authenticators<\/em> are those that are built into the platform, or device. For example, TouchID on a modern Mac, FaceID on a modern iPhone or Windows Hello on a modern Windows laptop.<\/p>\n\n\n\n

What makes WebAuthn special is that a tightly scoped set of credentials (public and private key) are created for each and every<\/em> relying party, or website you register your WebAuthn factor with. Each credential contains metadata; one of the most important is the relying party identifier<\/em>, or domain name. What makes this so special is that each credential is effectively locked<\/em> to a domain. This means that if you are tricked into visiting a fake website, the credentials on your roaming<\/em> or platform<\/em> authenticator won’t match up with the fake website and thus won’t give up any secrets; keeping you and your identity safe.<\/p>\n\n\n\n

How does it compare to existing authentication mechanisms?<\/h2>\n\n\n\n

I’m going to refer to a table I created to compare WebAuthn against the most common<\/em> user-authentication mechanisms available today.<\/p>\n\n\n\n

From weakest to strongest:<\/p>\n\n\n\n

Strength<\/th>Authentication Mechanism
(when used as part of MFA)<\/th>		Description<\/th><\/tr><\/thead>
Why would you do this to yourself?<\/td>None<\/td>Hopefully it should be obvious why not having any secondary authentication factor is a bad idea. Unfortunately, users of a system are often not given a choice.<\/td><\/tr>
Weak<\/td>SMS<\/td>SMS is not ideal but is better than nothing at all. It will deter almost all drive-by<\/em>, untargeted attacks. The security isn’t great and there are many articles which demonstrate real<\/em> attack paths where criminals are able to grab the SMS OTP codes. The user experience is just as bad; you require a network signal and on occasion, text messages can take several minutes to go through, assuming they don’t get blocked by your network provider for looking like spam.<\/td><\/tr>
Strong<\/td>Push based authentication<\/td>Push based authentication is offered by the likes of Duo, Okta Push, OneLogin Protect and many others. It provides a good user experience but arguably (well, I think so anyway) poorer security experience.
Many organisations which implement push based authentication do it poorly which means an attacker could frustrate a victim by bombarding them with push prompts. In these situations, it is inevitable the victim will begrudgingly accept one of the prompts; out of pure frustration or by accident.
It is also susceptible to MiTM attacks which could end in successful compromise of the account.<\/td><\/tr>
Stronger<\/td>Time Based OTP (TOTP)<\/td>This is the most popular form of secondary authentication – the most common apps which enable use of TOTP are Google Authenticator<\/em> and Authy<\/em>.
TOTP-based authentication is great; it provides a good user experience (you don’t have to wait several minutes for a text to arrive!) and good security. The secret or seed<\/em> is stored locally on your device (or encrypted on a remote server in the case of Authy) and it is not trivial for someone with ill intentions to obtain your codes remotely.
However it is also susceptible to MiTM attacks which could end in successful compromise of the account.<\/td><\/tr>
Strongest<\/td>Web Authentication<\/td>WebAuthn hits the ball out of the park when it comes to user experience and security. It is able to provide the fastest-time-to-authenticate but more importantly, is able to resist phishing attacks.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Hold on. What do you mean it’s able to resist phishing? I thought TOTP-factors were able to do this already?!<\/h2>\n\n\n\n

Don’t get me wrong, Time based OTP<\/em> authentication is\/was great and served us well. It certainly does<\/em> resist phishing attacks if and only if<\/em> an attacker isn’t able to socially engineer or phish the victim’s OTP (usually valid for 30 to 60 seconds) in near real time.<\/p>\n\n\n\n

That last sentence is crucial here. If<\/em> an attacker is able to phish a victim in real time, they are able to steal and abuse the OTP or<\/em> simply steal the session cookie\/token returned by the application after a successful login.<\/p>\n\n\n\n

You might be thinking to yourself that such an attack is farfetched and would never happen<\/em>. I’ll say that I have personally seen such an attack successfully take place and that there are plenty of frameworks available that make it incredibly easy for low-skilled criminals to carry out.<\/p>\n\n\n\n

So what makes WebAuthn phish-resistant? To cut a long story short, the credentials generated on the authenticator (this can be a USB security key like a YubiKey or it can be the fingerprint sensor on your phone or laptop) are scoped<\/em> to the domain they were generated for.<\/p>\n\n\n\n

What this means is that even if you are duped into entering your username and password into a very convincing phishing page (say evil.example.com<\/em>), the browser would relay the domain name of the phishing site to the authenticator at which point the authenticator will reply with “Sorry old chap, I don’t have any credentials for evil.example.com”<\/em><\/p>\n\n\n\n

Should I care?<\/h2>\n\n\n\n

In short and to the point: if you value the security, privacy and safety of your employees, infrastructure and customers then I would strongly encourage you to make plans to upgrade to WebAuthn backed factors as soon as you are able to.<\/p>\n\n\n\n

If you already use a modern Identity Provider then a lot of the hard work is already done for you.<\/p>\n\n\n\n

I’ll create a follow-up post to this one detailing my experience deploying WebAuthn, some things I did to ensure a smooth rollout and other things I would do better next time.<\/p>\n\n\n\n

Leave a comment if there’s anything else you’d like to know about and I’ll either edit this post or include it in the next.<\/p>\n\n\n\n

Additional Reading<\/h2>\n\n\n\n