Touch ID and Beyond: Duo’s Plans for WebAuthn
In just a short time, there have been a number of developments in WebAuthn. And Duo has been at the forefront of the WebAuthn revolution.
Now it’s time to talk about how you will be able to use WebAuthn with Duo in 2019.
WebAuthn will enable the most convenient and secure authentication method for end users – the device that they are already using – to validate that the user is who they say they are via a biometric.
As a reminder, WebAuthn is a browser-based API that allows for web applications to create strong, public key-based credentials for the purpose of user authentication. You can learn more at webauthn.guide and in the previous blog post in this What is WebAuthn? series.
In 2019, Duo is using WebAuthn to support new multi-factor authentication methods.
Biometrics with Touch ID
At RSA Conference, we’ll announce the general availability of Touch ID as an MFA method in Google Chrome. This allows you to provide your end users the most convenient authentication method built-in to the latest MacBooks. In addition, Touch ID leverages a tamper-proof security coprocessor that ensures that credentials cannot be removed from the endpoint, leading to high trust that the user is who they say they are at point of authentication.
We truly believe that built-in biometrics is the most usable and the most trustworthy authentication method. It also allows customers to work around barriers associated with asking users to enroll their personal mobile devices for authentication.
As we’ve been developing this feature, we’ve been going through extensive user testing, and one of the concerns we’ve heard from users is “does Duo see my biometric information?” We’ve somewhat jokingly chalked this up to decades of espionage films where lifting a fingerprint is as easy as using some scotch tape on a door handle.
But it’s a legitimate issue of trust for end users. We want to assertively state that we do not get actual biometric signatures or fingerprints from the end user. As a third party leveraging WebAuthn to speak to Touch ID, all we get is a pass or fail and the method that is utilized for authentication.
Security Keys in Firefox
We’ve been early adopters of Security Keys here at Duo. We were among the first vendors to announce support for Security Keys via the U2F standard in 2014, and we consider Yubico to be a tremendous partner. However, we’ve only been able to support Security Keys as an authentication method within Chrome, and many of our customers have requested the ability to also use Security Keys in other browsers.
Thanks to Firefox’s early adoption of WebAuthn, we’re happy to announce that we’ll also be supporting Security Keys in Firefox.
Now, an obvious question might be: why is Touch ID supported in Chrome but not Firefox? There are a number of moving parts to enable biometrics through WebAuthn.
First, the operating system needs to expose a means to address the biometric authenticator. Second, browsers need to support that method. And last, but not least, browsers need to support WebAuthn.
Chrome and Firefox support WebAuthn. Microsoft currently has no intention to support WebAuthn in Internet Explorer. Microsoft Edge does support WebAuthn, but due to the recent announcement that the browser will be switching rendering engines to Chromium, we are waiting on a future implementation of WebAuthn to tackle supporting Windows Hello in the second half of this year.
Our roadmap ahead includes support for Fingerprint API within Google Chrome on Android later this year. This will address the millions of Android devices our customers use for accessing critical mobile services.
Apple’s Safari browser is critical for our end users because it’s the only rendering engine allowed to operate on iOS. Safari does not support WebAuthn yet, although they have shipped an early test release in a preview build. We expect Apple to ship WebAuthn support with the next iteration of iOS and MacOS later this year, and we plan on following fast with support for Touch ID for our iPhone and iPad users.
Building Toward Passwordless Authentication
WebAuthn is a nascent browser API, and we’re excited to be early adopters of this exciting opportunity to tap into built-in biometric authentication methods. We want to build products for our customers while also helping the drive adoption of WebAuthn in the community.
We were excited to launch WebAuthn.guide last month, which is a development guide for implementing WebAuthn. And our Duo Labs team launched WebAuthn.io, a test site for WebAuthn across browsers using security keys and other authenticators.
2019 will be the year of biometric authenticators for MFA, and we’re excited to help lay the foundation for a passwordless future.