With WebAuthn, web authentication is finally getting smart
As reported recently by security investigative reporter Brian Krebs, Google claims to have eliminated phishing as a threat among its employees. Social engineering generally and spear phishing in particular are still the entry methods of choice in most sophisticated attacks, so this is quite an accomplishment. Google achieved this by making all users on its internal systems authenticate with hardware security keys.
Hardware security keys are smart devices connected to the device authenticating over the network, usually through a USB port. Bluetooth- and NFC-connected keys are also available, largely used on mobile devices.
The key is a piece of smart hardware that can generate public/private key pairs and signing with them. It’s a strong form of authentication and works much better than a password and even better than a one-time-password token, the use of which can still be phished. The client software, probably a web browser, talks directly to the device through defined interfaces.The standards and certification for these devices are controlled by the FIDO Alliance. FIDO identifies the devices that confirm to its specification and refers to them as Universal Second Factor (U2F) devices.
The protocol is the key
What is really interesting and new is not the hardware as much as the emergence of a new standard from the W3C and a lot of key industry players: Web Authentication: An API for accessing Public Key Credentials Level 1, better known as WebAuthn. The elevator pitch from the specification itself describes it as “…an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users.”
Heretofore, standards for authenticating a user to a website or service have been weak or nonexistent. Developers mostly had to hack their own, which had the effect of discouraging technologies newer and stronger than the username and password combination open to abuse.
Currently (August 2018), WebAuthn is at W3C Candidate Recommendation status, which is one review process away from formal recommendation status. But the major browser authors (except possibly Apple) aren’t waiting that long. Google Chrome and Mozilla Firefox both support WebAuthn in their current stable versions. Microsoft Edge in Windows 10 supports it in build 17723 on the Windows Fast Ring, so it should be generally released this fall. Apple’s Safari is based on the open source WebKit browser engine, the status page for which lists WebAuthn as “Under Consideration.”
WebAuthn is not just about security keys. It is a generalized API for accessing public key credentials. Those credentials could also be in a smart card; in an authentication app on the phone, like Authy; or in the Trusted Platform Module (TPM) in a computer. Microsoft’s Edge implementation supports Windows Hello, its biometric authenticators, through WebAuthn, as well as FIDO2 security keys, meaning you could use your face or fingerprint to log in to websites that support WebAuthn.
Where does it work?
This list isn’t authoritative and should grow over time, but currently supported sites are Google, Facebook, GitHub, Dropbox, Salesforce, and Dashlane (a password manager). There are others, including products that support security keys in non-WebAuthn scenarios. These things are useful in all kinds of ways. Want to use one to store GPG keys? Yubico explains how to do it with its cards here.
Sites like Google aren’t freeing you from using passwords just because you have a security key. The keys are supposed to be a second authentication factor, not the only one. So, you still have to enter your username and password, or have the browser or a password manager save them. Until recently.
The protocol used by FIDO U2F keys to generate keys, register them, and authenticate is called Client to Authenticator Protocol (CTAP), and WebAuthn is compatible with this protocol. Version 1 of this protocol (CTAP1) only dealt with public key cryptography and the second factor. CTAP2, which is being given the friendlier name FIDO2, supports use as a first authentication factor. The problem with a scenario this simple is that anyone who finds or steals your key can access all your accounts. But the second factor could be a biometric device or something else strong, not one of those problematic passwords. In fact, the key itself could include a fingerprint reader. But any reasonable configuration would require some sort of second factor.
Enterprise, yes; consumer, not so much
Google’s experience shows that a well-run, managed network can use WebAuthn and U2F to block some of the most serious threats facing an enterprise. The keys are inexpensive, and requiring employees to use them is completely reasonable.
For consumers, the picture is murkier. The benefits of the key are a harder sell, and they don’t relieve the user of responsibility. For instance, you really need to keep a backup of your key; Yubico sells packs of two keys with the idea that you use the second as a backup. Of course, consumers will lose theirs in a hundred different ways, and then there may be no way to access their accounts. This will seem like a bad deal compared with using the same weak password everywhere.
So maybe the answer there is innovation. The newest Google Pixelbooks contain a built-in U2F key so you don’t need to use a USB key for one. There are downsides to this approach though, the main one being that you don’t get to use the same key on more than one device.
The fact that we call these devices "keys" and the hole for a key ring in some devices both underscore the key metaphor. I see limits to that model. This is the kind of device you want to keep on your person as a general rule, and not everyone keeps their keys on them at all times. You never know when you’ll need that really important key.
A phone or smart watch could certainly act as a U2F secure key, but neither would have a USB plug and so would need to connect over Bluetooth or NFC, which won’t likely be convenient on a computer. In fact, since Bluetooth requires a battery, it’s likely never going to be a good solution for U2F. Perhaps the solution is an attractive line of NFC-enabled jewelry, although this might run counter to the benefit of U2F keys being inexpensive.
As I mentioned, one-time password (OTP) devices, such as RSA SecurID, can be phished. An attacker who has already installed malware on the device can keylog the password and the code and transmit them to a system where they can be used to log in. You might even convince the user that you are tech support and that they should read you the code over the phone. These actions are not feasible with U2F secure keys. Even if the user could find it, an attacker would have a hard time convincing a user to read a binary digital signature over the phone.
Still, it must be said that whatever weaknesses may exist in the OTP token model, it’s not the big problem WebAuthn will solve. (RSA SecurID supports FIDO U2F, if you’re curious.) The problem is accounts with only a username and password and users who use the same password across dozens of sites.
I wrote a story here advocating for the use of password managers in the enterprise. Is it a contradiction to advocate for WebAuthn too? Probably not. In the near term, WebAuthn and U2F in the enterprise will be limited to authenticating to enterprise assets, although it’s not hard to see the same keys being used for Salesforce, Office 365, and other outside services. But there are plenty of other sites, outside and inside the network, for which you might need passwords and on which WebAuthn will not be configured.
In the future, we will tell our children that, back in the day, the web didn’t have a standardized API for credential management and access, and that people got tricked out of their credentials all the time. They’ll stare at us with incredulity, thinking how stupid a design that was. They will be right.
WebAuthn: Lessons for leaders
- It's not just two-factor authentication.
- Good for the enterprise might not be consumer-friendly.
- The standard can be an enhancement to existing password-protection schemes.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.