Introducing the WebAuthn Authenticator Open-Source Library
At Duo, we’re incredibly fond of the strong authentication properties provided by WebAuthn. We have been talking for some time about the issues posed by password-based authentication, and much of our recent work has centered around demystifying WebAuthn and making it more accessible and understandable to end-users and developers alike.
Though WebAuthn is poised to change how we think about authentication, the current hardware landscape makes adoption challenging. Most current standalone authenticators do not provide the ability to verify a user’s identity (via biometrics, PIN, etc.). Hardware like Apple’s Touch ID (which can serve as an authenticator) is being bundled with new computers, but the refresh cycle on laptops/desktops is fairly long, recently nearing six years for desktops. Mobile devices, on the other hand, have a replacement cycle under three years, and mobile device manufacturers have been adding new security features at a rapid pace.
Many consumer mobile devices already have security properties that make them great candidates for storing sensitive information like WebAuthn credentials: hardware-backed cryptographic operations, biometric user verification, and deep integration between hardware and software that reduces the the ability of malicious code to cause damage or steal secret data.
To this end, Duo Labs is releasing an open-source Android library that serves as a WebAuthn authenticator, supporting hardware-backed keys and biometric user verification. This adds to our collection of open source WebAuthn libraries, including server-side WebAuthn implementations in Golang and Python, and our webauthn.io demonstration site.
We hope this release will allow developers to experiment with the authenticator model on hardware already in the hands of the masses, and we’re excited to see what you create. To learn more, see examples and download the library, check it out on GitHub.