With the proliferation of distributed work globally and as cybercriminals become more sophisticated by the day – it’s clear that traditional passwords and legacy MFA simply aren’t strong enough. Enter WebAuthn, an API that makes it easy for web services to integrate strong authentication into applications using support built in to all leading browsers and platforms.
A few key facts to know about WebAuthn:
- The story started in 2013, when Yubico and Google co-created the U2F standard and contributed it to the FIDO alliance. U2F was succeeded in 2019 by WebAuthn, developed under the umbrella of the World Wide Web Consortium (W3C) with Yubico, Microsoft, and Google as leading contributors. WebAuthn continues to be developed further by these and other industry partners.
- It offers significant security gains over traditional time-based one-time password (TOTP) or SMS-based two-factor authentication (2FA) – thanks to its secure design based on public key cryptography and strict domain binding. Widespread implementation, which can help curb account takeovers from phishing and other modern cyberthreats, will not be achievable until trust is established with everyday users.
By understanding WebAuthn and how it functions, we are able to further the adoption of passwordless. Emil Lundberg, software engineer and WebAuthn editor at Yubico, recently joined the Swedish IT security podcast Säkerhetssnack to share more about this. During the podcast, Emil talks about the past, present, and future of WebAuthn and its unique ability to make organizations phishing resistant. Check out the video below to listen to the questions and topics discussed. Some of the highlights from the discussion include:
- An overview of WebAuthn – what it is and who created it
- How simple and seamless the WebAuthn process is for end users
- What happens under the hood when websites authenticate users
- How the devices your team uses every day are built to work with WebAuthn — and how YubiKeys create the same strong protection across multiple devices
For more information on WebAuthn implementation and best practices, check out our blog here.