Andrey Ovcharov

Professional Software Engineer and hobbyist Hardware enthusiast

Andrey Ovcharov

WebAuthN - authentication without password

Some time ago I was reading news and met a very interesting topic - password-less authentication. The idea is great: instead of remembering multiple passwords for the different websites one could use a special device called Authenticator which will cover all registration and authentication processes using modern cryptography and biometric technologies.

In simple words registration should look like:

  • The user enters their email or desired username;
  • The browser asks Authenticator for confirmation and user has to confirm registration with fingerprint;
  • On success, the new cryptographic key pair is created and then used further for the authentication.

Authentication looks like:

  • The user enters their email or username;
  • The browser asks Authenticator for confirmation with the fingerprint.

The technology provides a number of benefits for the end-user. It’s very user-friendly - no need to remember strong passwords, just a touch of the finger for register or authenticate. You can not forget your fingerprint - it’s always with you. Stolen user’s database won’t give hackers any guess on password - the secret key is held separately on the device.

The full description of the technology is available in standard FIDO2: Web Authentication (WebAuthn) which was accepted as a recommendation by W3C consortium earlier this year. The standard was developed by companies like Google, Microsoft, and Yubico.

The new authentication standard is supported by Google Chrome already, however, Bluetooth BLE authentication is an experimental feature and you need to enable it separately. Other major browsers are in the different stages of the development process.

Personally, for me not all details of the standard are clear. For example, what people should do if the Authenticator device is lost? Is there a way to withdraw authentication made by this device? How do the log in afterward?

Nevertheless, we can assume that this standard will become mainstream for the secure and user-friendly authentication in the next years, maybe months.