English
  • webauthn
  • passkey
  • mfa

Things you should know before integrating WebAuthn

Introduce some basic concepts of WebAuthn, aiming to help you make better decisions when integrating WebAuthn.

Sijie
Sijie
Developer

WebAuthn provides a more secure and user-friendly alternative to traditional passwords. Its popularity is on the rise, with an increasing number of websites embracing this technology. If you're eager to integrate WebAuthn into your own website, you're not alone. However, as a relatively new technology, you likely have many questions about it.

When considering the integration of WebAuthn into your website or application, understanding these key concepts and considerations will help you make informed decisions about whether to implement it now.

What are WebAuthn and Passkeys?

Let's clarify the definitions:

  • Web Authentication API (WebAuthn) is an extension of the Credential Management API. It empowers strong authentication with public key cryptography, enabling passwordless and secure multi-factor authentication (MFA) without the need for SMS texts.
  • Passkeys represent an intriguing WebAuthn-based alternative to the conventional "password + second-factor" approach that many of us have endured. In this context, passkeys are a specific use case within the WebAuthn standard.

Can I use passkey cross-device

Yes, you can use a Passkey on multiple devices in two ways:

  1. Syncing through Password Managers: Popular password managers such as iCloud Keychain, Google Password Manager, and 1Password allow you to sync p. Passkeys marked as "cross-platform" in the registration response, like GitHub's "synced" tag, can be used on various devices.
  2. QRCode and Bluetooth: Another approach is using QR codes and Bluetooth for signing in from another device. This method provides flexibility for users to access their accounts on different platforms.

Can it be the single authentication method

Absolutely, WebAuthn is a highly secure authentication factor. The Passkey contains a "user ID," and during authentication, the server receives the verified "user ID" as the identifier. This "user ID" can be a universally unique identifier (UUID) or other unique identifiers like email, phone number, or username. Users can choose to enter their "user ID" first and then search for a valid Passkey or select a Passkey from a list associated with the current domain.

How's the compatibility today

WebAuthn can be used in a secure context (HTTPS) and is supported in the latest versions of most browsers. For detailed compatibility information, please refer to the MDN documentation.

Domain is the key identifier of passkey

In WebAuthn actions, whether for registration or authentication, the "rp ID" (relying party ID) is a mandatory field. It represents the domain hostname of the current web page. If it doesn't match the current domain, the browser will reject the request. This means that passkeys are bound to a specific domain, and there's currently no way to migrate existing passkeys to a different domain. Additionally, passkeys cannot be used across different domains. For more details, please see this issue.

Comparing to authenticator app (TOTP)

Comparing WebAuthn to traditional two-factor authentication methods, like Time-based One-Time Passwords (TOTP) and Authenticator apps, reveals several advantages. WebAuthn offers a more user-friendly and secure authentication experience. Unlike TOTP, which requires manual entry of a constantly changing code, or Authenticator apps that may be compromised if the device is stolen, WebAuthn relies on secure hardware and biometrics for a seamless and robust authentication process.

However, it's important to note that TOTP still has its advantages, such as easy backup and cross-device use, making it compatible with nearly all devices.

Conclusion

WebAuthn is undeniably exciting, but like any groundbreaking technology, it's vital to gain a comprehensive understanding before embracing it. This article aims to equip you with the knowledge needed to make informed decisions regarding WebAuthn integration. As you consider its potential benefits, keep in mind that staying informed is your key to success. By the way, stay tuned because Logto's next major feature will support WebAuthn, offering even more possibilities for seamless and secure authentication.