WebAuthn

Web Authentication
AbbreviationWebAuthn
Year started2013
First published2019
Latest versionLevel 2 Recommendation
21 April 2021 (2021-04-21)
Preview versionLevel 3 (FPWD)
15 December 2021 (2021-12-15)
OrganizationFIDO2 Project (FIDO Alliance and W3C)
CommitteeWeb Authentication Working Group
Editors
Current editors
  • Jeff Hodges (Google)
  • J.C. Jones (Mozilla)
  • Michael B. Jones (Microsoft)
  • Akshay Kumar (Microsoft)
  • Emil Lundberg (Yubico)
Previous editors
  • Dirk Balfanz (Google)
  • Vijay Bharadwaj (Microsoft)
  • Arnar Birgisson (Google)
  • Alexei Czeskis (Google)
  • Hubert Le Van Gong (PayPal)
  • Angelo Liao (Microsoft)
  • Rolf Lindemann (Nok Nok Labs)
Base standards
  • File API
  • WHATWG Encoding Standard
  • Unicode AUX #29: Text Segmentation
DomainAuthentication

Web Authentication (WebAuthn) is a web standard published by the World Wide Web Consortium (W3C). Its primary purpose is to build a system of authentication for web-based applications that solves or mitigates the issues of traditional password-based authentication. Zero-knowledge proofs based on public-key signature schemes are used to register and authenticate users without the need to transmit or store private authenticating information (such as passwords) on servers. Passwords are replaced by the so-called WebAuthn Credentials which are generated client-side and stored in so-called Authenticators. WebAuthn supports both roaming authenticators (such as physical security keys) and platform authenticators (such as smartphones). While different types of credentials are supported, synced discoverable credentials (also known as Passkeys) are the most common ones. WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance.

On the client side, authenticators are abstract functional models that are mostly agnostic with respect to how the key material is managed. This makes it possible to implement support for WebAuthn purely in software, making use of a processor's trusted execution environment or a Trusted Platform Module (TPM). Sensitive cryptographic operations can also be offloaded to a roaming hardware authenticator that can in turn be accessed via USB, Bluetooth Low Energy, or near-field communications (NFC). A roaming hardware authenticator conforms to the FIDO Client to Authenticator Protocol (CTAP), making WebAuthn effectively backward compatible with the FIDO Universal 2nd Factor (U2F) standard.

Like legacy U2F, Web Authentication is resilient to verifier impersonation; that is, it is resistant to phishing attacks, but unlike U2F, WebAuthn does not require a traditional password. Moreover, a roaming hardware authenticator is resistant to malware since the private key material is at no time accessible to software running on the host machine.

The WebAuthn Level 1 and 2 standards were published as W3C Recommendations on 4 March 2019 and 8 April 2021 respectively. A Level 3 specification is currently a First Public Working Draft (FPWD).

This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.