Skip navigation
A fingerprint scanner on a phone
Industry News

What is WebAuthn?

Authentication is evolving— and WebAuthn (Web Authentication) is what’s next. Check out our first blog post in this series, The History of Biometric Authentication to get an overview of how biometric authentication has evolved through innovations by major platform vendors like Apple and Microsoft.

So what is WebAuthn and what does it do? Web Authentication software like WebAuthn, allows businesses to verify the identity of their users through applications installed directly onto their browser. With the help of multi-factor authentication (MFA) methods, WebAuthn API registers a user's information online, then verifies their identity via a secondary method through their mobile device. Users verify their identity—proving they are who they say they are—through biometric authentication. WebAuthn supports a variety of biometric authentication tools, such as TouchID, FaceID, and Fingerprint API.

What is WebAuthn made up of?

If we take a step back and think about biometric authentication as an ecosystem, we might frame it in three significant parts:

Hardware is addressed two-fold:

  • Biometric sensors like fingerprint sensors or facial recognition systems

  • Secret storage processor like Secure Enclave Processors (SEP) or Trusted Platform Modules (TPM)

At the system level, these platforms mean:

  • TouchID/FaceID and Fingerprint API on iOS and Android respectively

  • Windows Hello and TouchID on Windows and MacOS respectively

In the field of biometric authentication, open standards have been the missing gap. The web is built upon open frameworks that can be leveraged by third parties, and there hadn't been a solution that could meet the heterogeneous uses and diverse requirements for biometric authentication. And that’s where WebAuthn fits in.

What is WebAuthn used for?

WebAuthn, sometimes called web authn, is a browser-based API that enables web applications to create strong, public key-based credentials for the purpose of user authentication. It was officially ratified by the W3C (World Wide Web Consortium) in April 2018, and we’ve seen tremendous movement and support by major browsers ever since. Mozilla Firefox was the first browser to support WebAuthn in May of 2018,  followed shortly after by Google Chrome and Microsoft Edge.

Since its release, WebAuthn can be used to support Universal Second Factor (U2F) security keys. However, as laptops with biometric authenticators become increasingly ubiquitous in enterprise environments, WebAuthn will be used primarily for biometric authentication.

What is the WebAuthn protocol?

WebAuthn is designed to resist phishing attacks for the security of its users’ data and protect user privacy with a convenient and secure authentication method. Allowing users to authenticate using biometrics and mobile devices reduces reliance on traditional passwords.

Is WebAuthn more secure?

Traditional passwords are often at risk for phishing attacks—deceptive emails or websites that are designed to trick users into disclosing their credentials. Weak or overused passwords are also vulnerable to brute force attacks, in which a hacker systematically tries to guess the password though different combinations until they gain access.

These password-related cybercrimes rely on counterfeit emails, websites, or messages meticulously crafted to project an aura of authenticity, often masquerading as reputable entities or familiar contacts to gain access to sensitive, personal data or resources. The consequences of falling prey to phishing endeavors can encompass data breaches, financial loss, and compromised security.

Individuals and businesses need to stay vigilant to password attacks and embrace modern cybersecurity measures like WebAuthn that can cut out the need for passwords and rely on each user’s unique biometrics and secure key-based credentials for access and protection.

Will WebAuthn replace passwords?

WebAuthn's use of a key-based credential replaces the need for a passkey or token. This allows web applications to trust a strong biometric authentication as a credential that is specific only to that service. No more shared passwords. And due to the aforementioned benefits of modern biometric authentication methods, this means that we now have a secure means to generate, store, and use a credential whose attributes are unknown to the user and thus can’t be stolen and exploited. What we’re talking about is true passwordless authentication.

Does WebAuthn work for MFA?

Duo leverages WebAuthn's biometric authentications to enable a secure multi-factor authentication (MFA) login process on both mobile devices and laptops. What we’re truly excited about is using WebAuthn as a bridge to passwordless authentication in the enterprise. We believe that user interactions for secure authentication will eventually collapse to built-in biometric solutions.

Customers will look to use WebAuthn because it will enable the most convenient and secure authentication method for end users—the device that they are already using—to validate that the user is who they say they are via a biometric.

Want to know more about what Duo has to offer for WebAuthn? Explore Duo WebAuthn.