Secure Authentication with WebAuthn

WebAuthn uses an authenticator which can be the user machine or a mobile phone or a key generator such as Yubikey on any site that supports the standard. It offers several advantages over the existing system which includes protection against phishing attacks, offers privacy, and reduced data breaches. It also prevents the attackers from replaying the request successfully thus eliminating man-in-the-middle attacks as well.

How it works!

Registration Process

The registration process has to be done before the authentication. In the Registration process, the browser works with the authenticator to create a new set of public-key credentials that can be used to sign a challenge generated by the server / relying party. The public part of these new credentials, along with the signed challenge, can be sent back to the relying party for storage. The relying party can later use these credentials to verify the identity of a user whenever required.

Authentication Process

The authentication process allows the relying party to send a challenge to the authenticator. This challenge can then be signed with the previously generated public-key credentials and sent back to the relying party. This way, the relying party can verify that a user is in possession of the required credentials, proving their identity.

Browser API:

navigator.credentials.create : creates new credentials, either for registering a new account or for associating a new asymmetric key pair credentials with an existing account

navigator.credentials.get : uses an existing set of credentials to authenticate to a service, either logging a user in or as a form of second-factor authentication.

References

https://developer.mozilla.org/en-US/docs/Web/API/WebAuthenticationAPI

Tags

• Service Worker
• Cache API
• Workbox
• Page load performance