Skip navigation

Effective October 28, 2019 Duo Security will be transitioning to Cisco's Privacy Statement. View the Duo Privacy Data Sheet.

Duo Labs

VIDEO: A Technical How-To Guide for WebAuthn 2019

What a big year for passwordless! Since March, the World Wide Web Consortium (W3C), one of the global organizations governing web standards, and The Fast Identity Online Alliance (or FIDO) Alliance, an industrial association for developing authentication and authorization standards, have come together to declare that Web Authentication (WebAuthn) is now an official global web standard.

More recently the Chrome development team at Google has begun to urge developers to migrate to WebAuthn from their U2F APIs. With the help of The FIDO Alliance and the W3C standards boards, along with many others in the security community, WebAuthn has already begun to see tremendous adoption in its debutant year.

The Open Source Community Drives Adoption

One thing that I believe helped drive rapid adoption the most is the amazing job the open source community has done at providing resources and examples of the specification. In 2017, the Duo Labs team open-sourced our own example of the the WebAuthn specification on webauthn.io, which has since been split into a core library for easy usage, and a standalone web application with a WebAuthn demonstration (that uses the core library) with links to other great open-source examples of the standard. Our work couldn’t have been possible without contributions by many developers who are equally excited about WebAuthn, so tremendous thanks to all of them! 

New standards can be hard to unpack and understand fundamentally, because they’re often more conceptual than specific to a language or framework. I think most of the time developers will look for a pre-existing package that abstracts away the understanding of the standard as a concept, and will just import the package into their codebase with the assumption that it works. While this is probably not ideal, there’s no shame in this! I’ve definitely done that in the past. It’s hard to read and fully understand everything to the fullest when you have deadlines. 

Because of this, Duo (and myself) believe that providing and promoting accessible educational resources and exemplary code is one of the best ways to help not only drive developer adoption, but help developers understand enough that they feel comfortable in their knowledge of a subject like WebAuthn to go out and implement it in a way that is most effective for them and their business. 

Technical WebAuthn How-To Video 

To help with this, I’ve recorded a video of a workshop I gave earlier this year during one of The FIDO Alliance’s annual meetings. This talk goes a little deeper than a general overview of the specification and gets a bit technical. In it, I go step by step through the aspects of the WebAuthn standard using the https://webauthn.io code as a guide. 

I hope that it will allow you and others to come away with a deeper understanding of what is possible with the specification, and how to make it work for your projects.

I hope to have more of these videos in the future and that this video helps you better understand the spec. As always, feel free to reach out to me on Twitter at @codekaiju or in the comment section of the video.