Can WebAuthn succeed where Universal 2nd Factor failed?
Back in October, 2015, I wrote about the FIDO Alliance, their U2F standard, and the YubiKey implementation by Yubico. The goal of U2F
is was to describe a method for universal two factor authentication (2FA). Today, 2FA is usually done either by text messages, or by using a mobile application that provides one-time codes. U2F is aimed more at physical tokens, with the YubiKey the most well-known implementation.
While using a physical token like the YubiKey for 2FA is a killer concept, U2F support was only implemented in Chrome, and only supported by a tiny handful of sites. Because of this, U2F never saw any wide spread adaption, and the YubiKey on my key chain continues to be dead weight. It’s not terribly heavy, but dead weight nonetheless.
Now, a new authentication standard, WebAuthn, is seeing the light of day. And it might succeed where U2F failed.
Yesterday: Username And Passwords.
You probably have a lot of online accounts. A lot! And on every one of them you log in with a username (or your e-mail address) and a password. Many of you use the same username and password everywhere2. If that is the case, it’s likely that your password is short and simple, and can be found on one of the many passwords lists3 available on the internet and the so called dark web. These lists contain common passwords, and are used by hackers to brute force access to online accounts.
Credential stuffing is another attack vector used by hackers. Since many people use the same username and password everywhere4, credentials from one of the many online security breaches are used by hackers to try to gain access to online accounts on sites that have not been breached yet. So if you use the same username and password on WeHaveCrappySecurity.com, as you do on PayPal, there’s a very good chance that your PayPal account will be hacked into if WeHaveCrappySecurity.com is breached.
If you want to check if your password has been leaked in one of the many, many online security breaches where hackers have gained access to usernames and passwords, head to Have I Been Pwned. There, you can enter your password, and check if it’s part of many of the known breaches that the site tracks. On Have I Been Pwned, you can also check if your e-mail address has been part of a breach.
Today: Password Managers and 2FA.
If you’re somewhat security conscious, you use a password manager, and two-factor authentication (2FA). The password manager generates long, random, and unique passwords for every online account you have. And you don’t have to remember any passwords, the password manager takes care of that.
2FA makes sure that, even if someone knows your username and password, they won’t be able to log in without the second factor – something you have – like an app on your mobile phone that generates one-time codes.
Passwords managers and 2FA are fairly good solutions to the password problem, but far from ideal. First of all, you place all you precious eggs in the password manager’s basket. If the service gets breached, all your passwords are suddenly in the hacker’s hands. Since password managers are such a goldmine for hackers, you can be sure that they are constantly attacked. It’s only a question of time before one such attack is successful.
Two-factor authentication isn’t bullet proof either. Many online services use text messages sent to your mobile phone as their 2FA method. But hi-jacking a phone number, and redirecting text messages are ridiculously easy. Even 2FA with time-based tokens generated by an app can be circumvented with sophisticated phishing attacks.
What if we could get rid of having to use password to login altogether?
WebAuthn (Web Authentication) is a web standard published by the W3C. WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance. The goal of the project is to standardize an interface for public-key authentication of users to web-based applications and services. Or, in plain English, to make it easier for people to more securely logging in to web sites than they do today.
Instead of passwords, WebAuthn uses public key cryptography. Public key cryptography uses the concept of a key pair – a private key, and a public key. These keys are long, random numbers that have a mathematical relationship with each other. The private key is stored securely on the user’s device, while the public key and randomly generated credential ID is sent to the server for storage. The server can then use that public key to prove the user’s identity.
That Sounds Like A Password To Me!
The public key resembles a password, but it’s very different in that it doesn’t have to be a secret because it’s useless without the corresponding secret key.
During authentication an assertion is created, which is proof that the user has possession of the private key. This assertion contains a signature created using the private key. The server uses the public key retrieved during registration to verify this signature. If the signature sent from the client validates, the user is logged in.
So what about the private key? It has to be stored somewhere, but that’s not an issue. The private key can be stores on your mobile phone, on your computer, or even on the mentioned YubiKey. This means that only you have physical access to your private key, making it very hard for hackers to gain access to.
WebAuthn sure looks promising. As of January 2019, the standard is supported in Chrome, Firefox, and Edge, with upcoming support in Safari. It might not be the silver bullet we’re need to completely get rid of online account breaches and takeovers, it’s a giant leap forward in terms of security compared to password-based logins.
As far as I know, no sites support WebAuthn yet, but my YubiKey and I are eager to test it out as soon as one do.
- “Fun” fact: I went on a job interview at the Norwegian National Security Authority. The government agency is responsible for countering “threats to the independence and security of the realm and other vital national security interests, primarily espionage, sabotage or acts of terrorism.” While at their offices, I dropped my key chain, and didn’t realize it until I was back home. The YubiKey was on the key chain. For all practical purposes, it should probably be considered compromised now. I’d say I made a great, security conscious, first impression.
- Don’t do that.
- You can hear the story of the creation of the first well-known password list in episode 33 of the Darknet Diaries podcast.
- Again, don’t do that!