Beyond Passwords: Better Security Using Web Authentication API
Would it surprise you that over three-quarters of all hacking-related breaches involve weak or stolen passwords?
Let's be honest here: passwords had their day. They were helpful for a time, but other verification methods have been proven safer and more effective at protecting users’ identities. One such solution is Web Authentication, a system specifically designed to confirm users are who they say they are.
So what is Web Authentication? How does it work? And could it possibly eliminate the use of passwords for good?
- Can a Virtual Credit Card Help Cut-Down on Fraud?
- EMV Liability Shift: What Merchants Need to Know Going Forward
- Mastercard Installments: A New Way to Buy Now & Pay Later
- Amazon Palm Payments: New Tech Enabling Safer Commerce
- Is One-Click Checkout Right for Your Business?
- How Biometric Payments Can Help Fight eCommerce Fraud
What Is Web Authentication?
- web authentication
Web Authentication API is a credential management API developed by the World Wide Web Consortium. This protocol allows web applications to authenticate users without storing their passwords on servers.
[noun]/* web • ô • then • tǝ • kā • shǝn /
Online user authentication problems have existed almost as long as the web itself. The most common solution to date has been the password, which works on the assumption that only the user has access to their username and password. If those items match, the site assumes the user is legitimate.
Unfortunately, passwords are easily circumvented, especially when carelessly used by the clients they were meant to protect. And while the username/password method probably won’t disappear completely, a better customer verification solution is needed. That brings us to Web Authentication or WebAuthn.
WebAuthn is an Application Program Interface (API) that lets applications verify users’ identities without accessing or storing their passwords. The API does what passwords are supposed to do, but more effectively.
Chargebacks can wreak havoc on your cash flow and profitability. This FREE paperback book is your guide for preventing chargebacks and, when they happen, fighting them more effectively.Send Me My Free Paperback Book!
How Conventional Password Authentication Works
To understand the problem with passwords, it helps to have basic information on how conventional web authentication methods work.
While registering for an online account, a site asks the user to create a username and password, otherwise known as an ID and a key. These are stored in the merchant’s database. Then, the next time one tries to access that account, the site will ask for their unique username (ID) and password (key).
If the credentials provided match the ones on file, the user would be granted access. If they don’t match, the site will deny the login attempt. Seems simple enough, right? Well, that’s precisely the problem.
Traditional username and password schemes are based on a simple positive/negative verification mechanism. They’ve become increasingly vulnerable to cyberattacks as fraudsters have gotten better at compromising databases and tricking users into handing over personal information.
Why Passwords are Not Secure
The problem with conventional password verification is that the password is, in concept, a “shared secret.”
This is by necessity. Imagine you’re a spy meeting up with your contact, who asks you for the secret password. You may know the password, but that isn’t very helpful if your contact doesn’t. The secret has to be shared, or it doesn’t work.
In the same way, an online password is only relevant if the other party (or site) knows the password, too. Unfortunately, the site only identifies users by ID and key. As far as the server is concerned, anyone entering those two bits of information is considered a legitimate user. Shared secrets are problematic because they present more points of attack for fraudsters.
Consumers constantly need to worry about credentials exposed through phishing schemes or data breaches. At the same time, creating and remembering passwords is a headache, so users often default to weak or easy-to-guess words or phrases. Most will use the same password for years or reuse the same credentials for multiple sites.
What is Public Key Authentication?
Web Authentication API is a comparatively new technique. It was developed by the World Wide Web Consortium (W3C) in association with the FIDO (Fast IDentity Online) Alliance. The goal was to standardize simpler and stronger validation credentials through public-key authentication rather than a password.
“Public-key authentication” doesn’t sound safer than “shared secrets,” but the two techniques are very different. First, public-key authentication uses a pair of keys instead of a single password.
These keys are not something that a fraudster can simply “guess.” They are randomly generated 12+ alphanumeric character figures that have a mathematical relationship to each other. One is a public key that can be shared with a server, but the other is a private key solely stored with the user.
Criminal fraud is just one of the threats facing your business.
Take the next step to eliminate threats and defend your revenue.
The private key simply verifies that the person seeking access is the real user. It doesn’t give any information about the user. It only confirms that the user is legitimate.
The public key is not “public” in the sense that there is a published list somewhere. It’s just the only part of the equation outside sites can access. It doesn’t have to be secret because the public one is effectively useless without the corresponding private key.
Put another way: even if hackers breached an extensive database full of user credentials, all they would get is a list of meaningless numbers. Each public key is bound to a private key, but because there are billions of possible key configurations, the crook has no way to connect the two.
How Does Web Authentication Work?
Public-key cryptography is one of the common factors of all FIDO authenticators. There are three components to this process:
The most important thing to note is that the authenticator’s connection to the client does not happen online. The information passed between the client, and the authenticator is at no point accessible to any outside source or interference.
The Web Authentication Security Process
There are two different stages of the secure Web Authentication process:
A user registers their credentials with an Authenticator, then proves to the web application’s owner (the “Relying Party”) that the credential and Authenticator used to create it are trustworthy.
The Relying Party sends data to verify the user’s identity via the Authenticator. If everything checks out, the Authenticator can sign off on the verification using the previously generated public-key credentials.
In a nutshell: the user attempts to sign in, and the site asks the browser for proof of the user’s identity. In turn, the browser requests that information from the Authenticator. As we mentioned above, this evidence could be a physical security key, a fingerprint sensor, etc.
When the Authenticator confirms the user’s identity, it passes that information back to the browser, forwarding it to the site. It either gives the site permission to accept the user’s login or rejects it in case of a mismatch.
While the process is obviously more involved, those are the basic steps. Essentially, the Authenticator is a go-between that’s trusted by both sides. This allows the browser to accept the evidence without accessing the data itself. All the action takes place behind the scenes and happens almost instantly.
In this exclusive guide, we outline the 50 most effective tools and strategies to reduce the overall number of chargebacks you receive.Get the FREE guide
What Advantages Does WebAuthn Offer?
This new technology is considered the best validation technique available. It raises the bar for protecting user accounts. In doing so, WebAunthn offers benefits for both users and merchants.
Are There Disadvantages to Using WebAuthn?
There are no serious downsides to using Web Authentication. That said, the system is still not perfect.
For example, it can complicate situations where a new authenticator is needed for an existing account. Let’s say a user loses their physical token. They would need a new one, but the WebAuthn API deliberately makes it extremely difficult to link a new key to an existing profile for security purposes.
Also, while it is an essential tool, secure Web Authentication should still be considered just one part of an overall fraud prevention strategy. Implementing WebAuthn may thwart up to 80% of hacking attacks, but it does little to prevent other threats, like post-transaction ( or "friendly") fraud.
Are you looking for a truly comprehensive fraud solution for businesses? Chargebacks911® can help you develop and implement a strategy that includes comprehensive fraud prevention and maximized revenue recovery. Contact us today to learn how much you could be saving.