Web Authentication

May 4, 2022 | 9 min read

Web Authentication Authn

Beyond Passwords: Better Security Using Web Authentication API

Would it surprise you that over three-quarters of all hacking-related breaches involve weak or stolen passwords?

Let's be honest here: passwords had their day. They were helpful for a time, but other verification methods have been proven safer and more effective at protecting users’ identities. One such solution is Web Authentication, a system specifically designed to confirm users are who they say they are.

So what is Web Authentication? How does it work? And could it possibly eliminate the use of passwords for good?

What Is Web Authentication?

web authentication

[noun]/* web • ô • then • tǝ • kā • shǝn /

Web Authentication API is a credential management API developed by the World Wide Web Consortium. This protocol allows web applications to authenticate users without storing their passwords on servers.

Online user authentication problems have existed almost as long as the web itself. The most common solution to date has been the password, which works on the assumption that only the user has access to their username and password. If those items match, the site assumes the user is legitimate.

Unfortunately, passwords are easily circumvented, especially when carelessly used by the clients they were meant to protect. And while the username/password method probably won’t disappear completely, a better customer verification solution is needed. That brings us to Web Authentication or WebAuthn.

WebAuthn is an Application Program Interface (API) that lets applications verify users’ identities without accessing or storing their passwords. The API does what passwords are supposed to do, but more effectively.

How Conventional Password Authentication Works

To understand the problem with passwords, it helps to have basic information on how conventional web authentication methods work.

While registering for an online account, a site asks the user to create a username and password, otherwise known as an ID and a key. These are stored in the merchant’s database. Then, the next time one tries to access that account, the site will ask for their unique username (ID) and password (key).

If the credentials provided match the ones on file, the user would be granted access. If they don’t match, the site will deny the login attempt. Seems simple enough, right? Well, that’s precisely the problem.

Traditional username and password schemes are based on a simple positive/negative verification mechanism. They’ve become increasingly vulnerable to cyberattacks as fraudsters have gotten better at compromising databases and tricking users into handing over personal information.

Why Passwords are Not Secure

The problem with conventional password verification is that the password is, in concept, a “shared secret.”

This is by necessity. Imagine you’re a spy meeting up with your contact, who asks you for the secret password. You may know the password, but that isn’t very helpful if your contact doesn’t. The secret has to be shared, or it doesn’t work.

In the same way, an online password is only relevant if the other party (or site) knows the password, too. Unfortunately, the site only identifies users by ID and key. As far as the server is concerned, anyone entering those two bits of information is considered a legitimate user. Shared secrets are problematic because they present more points of attack for fraudsters.

Consumers constantly need to worry about credentials exposed through phishing schemes or data breaches. At the same time, creating and remembering passwords is a headache, so users often default to weak or easy-to-guess words or phrases. Most will use the same password for years or reuse the same credentials for multiple sites.

What is Public Key Authentication?

Web Authentication API is a comparatively new technique. It was developed by the World Wide Web Consortium (W3C) in association with the FIDO (Fast IDentity Online) Alliance. The goal was to standardize simpler and stronger validation credentials through public-key authentication rather than a password.

“Public-key authentication” doesn’t sound safer than “shared secrets,” but the two techniques are very different. First, public-key authentication uses a pair of keys instead of a single password.

These keys are not something that a fraudster can simply “guess.” They are randomly generated 12+ alphanumeric character figures that have a mathematical relationship to each other. One is a public key that can be shared with a server, but the other is a private key solely stored with the user.

Criminal fraud is just one of the threats facing your business.

Take the next step to eliminate threats and defend your revenue.


The private key simply verifies that the person seeking access is the real user. It doesn’t give any information about the user. It only confirms that the user is legitimate.

The public key is not “public” in the sense that there is a published list somewhere. It’s just the only part of the equation outside sites can access. It doesn’t have to be secret because the public one is effectively useless without the corresponding private key.

Put another way: even if hackers breached an extensive database full of user credentials, all they would get is a list of meaningless numbers. Each public key is bound to a private key, but because there are billions of possible key configurations, the crook has no way to connect the two.

How Does Web Authentication Work?

Public-key cryptography is one of the common factors of all FIDO authenticators. There are three components to this process:

The Relying Party

The application that authenticates the user. With the WebAuthn API, the Relying Party encompasses the user registration point and the web server itself.

The WebAuthn Client

The software—typically the web browser—deploys the Web Authentication API, usually through a JavaScript application.

The Authenticator

The device used to create and store user credentials. This can be code embedded into the operating system, or it may be a separate physical device, such as a security key. Biometric interfaces built into devices can also use fingerprint or facial recognition sensors to confirm users.

The most important thing to note is that the authenticator’s connection to the client does not happen online. The information passed between the client, and the authenticator is at no point accessible to any outside source or interference.

The Web Authentication Security Process

There are two different stages of the secure Web Authentication process:

Web Authentication


A user registers their credentials with an Authenticator, then proves to the web application’s owner (the “Relying Party”) that the credential and Authenticator used to create it are trustworthy.

Web Authentication


The Relying Party sends data to verify the user’s identity via the Authenticator. If everything checks out, the Authenticator can sign off on the verification using the previously generated public-key credentials.

In a nutshell: the user attempts to sign in, and the site asks the browser for proof of the user’s identity. In turn, the browser requests that information from the Authenticator. As we mentioned above, this evidence could be a physical security key, a fingerprint sensor, etc.

When the Authenticator confirms the user’s identity, it passes that information back to the browser, forwarding it to the site. It either gives the site permission to accept the user’s login or rejects it in case of a mismatch.

While the process is obviously more involved, those are the basic steps. Essentially, the Authenticator is a go-between that’s trusted by both sides. This allows the browser to accept the evidence without accessing the data itself. All the action takes place behind the scenes and happens almost instantly.

What Advantages Does WebAuthn Offer?

This new technology is considered the best validation technique available. It raises the bar for protecting user accounts. In doing so, WebAunthn offers benefits for both users and merchants.

Consumer Convenience

Customers love convenience. Most customers won’t have to install specific software to use WebAuthn security. The framework was developed in conjunction with Google, Mozilla, Microsoft, and others. With so many major players involved, users will find that everything they need is built into what they are already using.

Custom Configurations

WebAuthn allows for single-factor, two-factor, or multi-factor authentication. Merchants can even provide an additional layer of identity verification for specific in-app actions, such as changing passwords.

While it’s possible to allow user access based simply on WebAuthn verification, sites can also require a secondary method to ensure robust customer authentication compliance.

Tighter Security

WebAuth doesn’t just create one pair of cryptographic keys. Instead, it makes unique keys for each website. In the unlikely event that a third party managed to gain access to a user account, that information would not allow them to access any other account.

The private user key is only stored on the user’s device. For consumers, this helps eliminate the threats of credential theft and phishing. At the same time, merchants are protected from potential liability following a data breach, as they are no longer storing customers’ personal data.

Are There Disadvantages to Using WebAuthn?

There are no serious downsides to using Web Authentication. That said, the system is still not perfect.

For example, it can complicate situations where a new authenticator is needed for an existing account. Let’s say a user loses their physical token. They would need a new one, but the WebAuthn API deliberately makes it extremely difficult to link a new key to an existing profile for security purposes.

Also, while it is an essential tool, secure Web Authentication should still be considered just one part of an overall fraud prevention strategy. Implementing WebAuthn may thwart up to 80% of hacking attacks, but it does little to prevent other threats, like post-transaction ( or "friendly") fraud.

Are you looking for a truly comprehensive fraud solution for businesses? Chargebacks911® can help you develop and implement a strategy that includes comprehensive fraud prevention and maximized revenue recovery. Contact us today to learn how much you could be saving.

Like What You're Reading? Join our newsletter and stay up to date on the latest in payments and eCommerce trends.
Newsletter Signup
We’ll run the numbers; You’ll see the savings.
Please share a few details and we'll connect with you!
Over 18,000 companies recovered revenue with products from Chargebacks911
Close Form