Andrey Ovcharov

Tech blog

Andrey Ovcharov

WebAuthN - authentication without password

Some time ago I was reading news and met a very interesting topic - password-less authentication. The idea is great: instead of remembering multiple passwords for the different websites one could use special device called Authenticator which will cover all registration and authentication process using modern cryptography and biometric technologies.

In simple words registration should look like:

  • User enters their email or desired username;
  • The browser asks Authenticator for confirmation and user has to confirm registration with fingerprint;
  • On success the new cryptographic key pair is created and then used further for the authentication.

Authentication looks like:

  • User enters their email or username;
  • The browser ask Authenticator for confirmation with the fingerprint.

The technology provides a number of benefits for the end user. It’s very user friendly - no need to remember strong passwords, just a touch of the finger for register or authenticate. You can not forget your fingerprint - it’s always with you. Stolen user’s database won’t give hackers any guess on password - the secret key is held separately on the device.

The full description of the technology is available in standard FIDO2: Web Authentication (WebAuthn) which was accepted as recommendation by W3C consortium earlier this year. The standard was developed by companies like Google, Microsoft and Yubico.

New authentication standard is supported by Google Chrome already, however Bluetooth BLE authentication is an experimental feature and you need to enable it separately. Other major browsers are in the different stages of the development process.

Personally for me not all details of the standard are clear. For example, what people should do if the Authenticator device is lost? Is there a way to withdraw authentication made by this device? How do the log in afterwards?

Nevertheless we can assume that this standard will become mainstream for the secure and user friendly authentication in the next years, may be months.