Skip navigation

What is WebAuthn?

Authentication is evolving - and WebAuthn (Web Authentication) is what’s next. See the first blog post in this series, The History of Biometric Authentication to get an overview of how biometric authentication has evolved through innovations by major platform vendors Apple and Microsoft.

The Ecosystem

If we take a step back and think about biometric authentication as an ecosystem, we might frame it in the following way:

Biometric Authentication Ecosystem

Hardware is addressed two-fold:

  • Biometric sensors like fingerprint sensors or facial recognition systems
  • Secret storage processor like Secure Enclave Processors (SEP) or Trusted Platform Modules (TPM)

Platforms mean at the system level:

  • TouchID/FaceID and Fingerprint API on iOS and Android respectively
  • Windows Hello and TouchID on Windows and MacOS respectively

Open standards have been the missing gap. The web is built upon open frameworks that can be leveraged by third parties, and there hasn’t been a solution that can meet the heterogeneous uses for biometric authentication. And that’s where WebAuthn fits in.

Enter WebAuthn

WebAuthn is a browser-based API that allows for web applications to create strong, public key-based credentials for the purpose of user authentication. It was officially ratified by the W3C (World Wide Web Consortium) in April of this year, and we’ve seen tremendous movement and support by major browsers ever since. Mozilla Firefox was first with support for WebAuthn and Google added Chrome support just last month. Microsoft’s Edge browser is also expected to add support later this year.

Immediately, WebAuthn can be used to support Universal Second Factor (U2F) security keys. However, as laptops with biometric authenticators become increasingly ubiquitous in enterprise environments, it will be used primarily for biometric authentication.

WebAuthn will allow for web applications to trust a strong biometric authentication as a credential that is specific only to that service. No more shared passwords. And due to the aforementioned benefits of modern biometric authentication methods, this means that we now have a secure means to generate, store and utilize a credential whose attributes are unknown to the user and thus can’t be stolen and exploited. What we’re talking about is true passwordless authentication.

Leveraging WebAuthn for MFA

We are currently in the process of building support for WebAuthn as an authentication method. We have been privately beta testing U2F support in browsers beyond Chrome for the past month. What we’re truly excited about is leveraging WebAuthn as a bridge to passwordless authentication in the enterprise. We believe that user interactions for secure authentication will eventually collapse to built-in biometric solutions.

Customers will look to use WebAuthn because it will enable the most convenient and secure authentication method for end users - the device that they are already using - to validate that the user is who they say they are via a biometric.

Stay tuned for our next blog post in this series to find out How Duo Will Support WebAuthn.

Steve Won

Steve Won

Senior Product Manager

@stevewon

Steve Won is a Senior Product Manager at Duo Security, where he leads the company's authentication and Microsoft efforts, working closely with the Engineering and Labs R&D teams. Prior to joining Product, Steve worked closely with Duo’s largest customers on the Customer Success team and brings customer context to every decision. A graduate of Northwestern University, Steve now resides in Seattle with his physician wife, Katie.