Beyond Passwords: Better Security Using Web Authentication API
Would it surprise you to learn that over three-quarters of all hacking-related breaches involve weak or stolen passwords?
Let's be real here: passwords had their day. They were useful for a time, but other verification methods have been proven safer and more effective at protecting users’ identities. One such solution is Web Authentication, a system specifically designed to confirm that users are who they say they are.
So what is Web Authentication? How does it work? And could it possibly eliminate the use of passwords for good?
- EMV Liability Shift: What Merchants Need to Know Going Forward
- How Virtual Account Numbers Protect Cardholder Data Online
- Should Merchants Offer Cash Back on Debit Card Purchases?
- Mastercom Collaboration: The Impact on Merchants & Banks
- Mastercard Installments: A New Way to Buy Now & Pay Later
- How to Manage the Internet of Things & Fraud Threats
What Is Web Authentication?
- web authentication
Web Authentication API is a credential management API developed by the World Wide Web Consortium. This protocol allows web applications to authenticate users without storing their passwords on servers.
[noun]/* web • ô • then • tǝ • kā • shǝn /
Online user authentication problems have existed almost as long as the web itself. The most common solution to date has been the password, which works on the assumption that only the user has access to their username and password. If those items match, the site assumes the user is legitimate.
Unfortunately, passwords are easily circumvented, especially when they are carelessly used by the very clients they were meant to protect. And while the username/password method probably won’t disappear completely, a better customer verification solution is needed. That brings us to Web Authentication, or WebAuthn.
WebAuthn is an Application Program Interface (API) that lets applications verify users’ identities without accessing or storing their passwords. The API does what passwords are supposed to do, but much more effectively.
Chargebacks for Dummies
Chargebacks can wreak havoc on your cash flow and profitability. This book is your guide for preventing chargebacks and, when they happen, fighting them more effectively. Request your FREE paperback copy of Chargebacks for Dummies today!Send Me My Free Book!
How Conventional Password Authentication Works
To understand the problem with passwords, it helps to have basic information on how conventional web authentication methods work.
During registration for an online account, a site asks the user to create a username and password, otherwise known as an ID and a key. These are stored in the merchant’s database. Then, the next time one tries to access that account, the site will ask for their unique username (ID) and password (key).
If the credentials provided match the ones on file, the user will be granted access. If they don’t match, the site will deny the login attempt. Seems simple enough, right? Well, that’s exactly the problem.
Traditional username and password schemes are based on a simple positive/negative verification mechanism. They’ve become increasingly vulnerable to cyberattacks as fraudsters have gotten better at compromising databases and tricking users into handing over personal information.
Why Passwords are Not Secure
The problem with conventional password verification is that the password is, in concept, a “shared secret.”
This is by necessity. Imagine you’re a spy meeting up with your contact, who asks you for the secret password. You may know the password, but that’s worthless if your contact doesn’t know the password, too. The secret has to be shared, or it doesn’t work.
In the same way, an online password is only relevant if the other party (or site) knows the password, too. Unfortunately, the site only identifies users by the ID and key. As far as the server is concerned, anyone entering those two bits of information is considered the legitimate user. Shared secrets are problematic because they present more points of attack for fraudsters.
Consumers constantly need to worry about credentials getting exposed through phishing schemes or a data breach. At the same time, creating and remembering passwords is a headache, so users often default to weak or easy-to-guess words or phrases. Most will use the same password for years, or reuse the same credentials for multiple sites.
What is Public Key Authentication?
Web Authentication API is a comparatively new technique. It was developed by the World Wide Web Consortium (W3C) in association with the FIDO (Fast IDentity Online) Alliance. The goal was to standardize simpler and stronger validation credentials through the use of public-key authentication, rather than a password.
“Public-key authentication” doesn’t sound much safer than “shared secrets,” but the two techniques are very different. To start with, public-key authentication uses a pair of keys instead of a single password.
These keys are not something that a fraudster can simply “guess.” They are randomly generated 12+ character alphanumeric figures that have a mathematical relationship to each other. One is a public key which can be shared with a server, but the other is a private key that is solely stored with the user.
Criminal fraud is just one of the threats facing your business.
Take the next step to eliminate threats and defend your revenue.
The private key simply verifies that the person seeking access is the real user. It doesn’t give any information about the user. It only confirms that the user is legitimate.
The public key is not “public” in the sense that there is a published list somewhere. It’s just the only part of the equation outside sites can access. It doesn’t have to be secret because, without the corresponding private key, the public one is effectively useless.
Put another way: even if hackers breached a large database full of user credentials, all they would really get is a list of meaningless numbers. Each public key is bound to a private key, but because there are literally billions of possible key configurations, the crook has no way to connect the two.
How Does Web Authentication Work?
Public-key cryptography is one of the common factors of all FIDO authenticators. There are three components to this process:
The Relying Party
The application that authenticates the user. With the WebAuthn API, the Relying Party encompasses both the user registration point and the web server itself.
The WebAuthn Client
The device used to create and store user credentials. This can be code embedded into the operating system, or it may be a separate physical device, such as a security key. Biometric interfaces built into devices can also use fingerprint or facial recognition sensors to confirm users.
The most important thing to note is that the authenticator’s connection to the client does not happen online. The information passed between the client and the authenticator is at no point accessible to any outside source or interference.
The Web Authentication Security Process
There are two different stages of the secure Web Authentication process:
A user registers their credentials with an Authenticator, then proves to the web application’s owner (the “Relying Party”) that the credential and Authenticator used to create it are trustworthy.
The Relying Party sends data to verify the user’s identity via the Authenticator. If everything checks out, the Authenticator can sign off on the verification using the previously generated public-key credentials.
In a nutshell: the user attempts to sign in, and the site asks the browser for proof of the user’s identity. In turn, the browser requests that information from the Authenticator. As we mentioned above, this evidence could be a physical security key, a fingerprint sensor, etc.
When the Authenticator confirms the user’s identity, it passes that information back to the browser, which forwards it to the site. It either gives the site permission to accept the user’s login, or rejects it in case of a mismatch.
While the process is obviously more involved, those are the basic steps. Essentially, the Authenticator is a go-between that’s trusted by both sides. This allows the browser to accept the evidence without having to actually access the data itself. All the action takes place behind the scenes, and happens almost instantly.
50 Insider Tips for Preventing More Chargebacks
In this exclusive guide, we outline the 50 most effective tools and strategies to reduce the overall number of chargebacks you receive.Free Download
What Advantages Does WebAuthn Offer?
This new technology is considered the best validation technique available. It raises the bar for protecting user accounts. In doing so, WebAunthn offers benefits for both users and merchants.
Are There Disadvantages to Using WebAuthn?
There are no serious downsides to using Web Authentication. That said, the system is still not perfect.
For example, it can complicate situations where a new authenticator is needed for an existing account. Let’s say a user loses their physical token. They would need a new one, but for security purposes, the WebAuthn API deliberately makes it extremely difficult to link a new key to an existing profile.
Also, while it is an important tool, secure Web Authentication should still be considered just one part of an overall fraud prevention strategy. Implementing WebAuthn may thwart up to 80% of hacking attacks, but it does little to prevent other threats, like post-transaction ( or "friendly") fraud.
Looking for a truly comprehensive fraud solution for businesses? Chargebacks911® can help you develop and implement a strategy that includes both extensive fraud prevention and maximized revenue recovery. Contact us today to learn how much you could be saving.