The last weeks I’ve been working on a library implementing the server side of WebAuthn: Wax.
What is WebAuthn?
WebAuthn (and FIDO2) are a set of protocols that enable phishing-resistant authentication based on authenticators. It works by generating key-pairs (private-public keys) for a user for a specific site (~= URI) in a registration phase and reusing it for further authentication. If you want to use WebAuthn for authentication of your users, you’ll therefore have 2 steps:
- Register user key
- Authenticate using key generated
How does it look like?
Here is a video demo of WebAuthn / FIDO2 authentication using security keys:
(If you have an authenticator, you can try it out yourself: https://github.com/tanguilp/wax_demo)
What are authenticators?
As of today, most authenticators are USB keys. However, this is changing fast as it will soon include:
- Smartphone sensors (fingerprint, face recognition, etc.)
- Sensors on laptops
- NFC / bluetooth keys
One can also imagine using the fingerprint sensor on his/her smartphone to authenticate to a website on a computer, the smartphone using bluetooth or NFC to enable FIDO2/WebAuthn communication to the computer.
Authenticators can be certified by the FIDO Alliance. When registering a new WebAuthn/FIDO2 key, you can actually receive strong guarantees about the authenticator used, for instance the use of special hardware protection to protect the private keys (TEE / TPM).
What does it solve?
The missing part on today’s unlocking mechanisms on smartphone is that the process is local to the smartphone, which helps with keeping the biometrics on the phone and only on it, but prevents the server from receiving an actual proof of the user authentication (in general, it only receives a token that might come from the user’s smartphone - or not). With WebAuthn & FIDO2, the server receives a signed security proof of user authentication (and, with some extensions, of authorization). And in case of the use of a biometric authentication scheme, the biometric data (e.g.: fingerprint) will not leave the authenticator (the server will not receive it).
Besides, unless other authentication mechanisms such as password, push notifications, SMS, etc. it is not phishable.
How to use it in authentication flows?
- As a second factor for high-risk users such as admins, in addition to the password
- As an optional second factor for knowledgeable people
- As a convenience first factor, as an alternative to the password (like in the demo video)
- As the first and unique factor on website you don’t need to know your users, but need to authenticate them ?
Will it solve all authentication problems?
Many people in the Identity and Access Management community go into ecstasies when talking about WebAuthn/FIDO2 - like 2016, no 2017, no 2018, no 2019 is the year of the death of passwords. However:
People will lose, forget or change their authenticators, be it smartphones, security keys or smartphones. This means they’ll have to register again which is not so good on a UX standpoint. Regarding security, the weakest link become the reinitialization process. If that’s a code sent by email then, well, the security level will be the one to access a user’s inbox (password? )
Some people will probably be reluctant to use it for privacy reasons, especially when biometrics is involved (and even if there’s no actual privacy risk since biometry will not be sent to the server). Like “Login with [social network]” today (I personally seldom use it).
So I guess it will be one authentication scheme among others, and password will still be used, for better or for worse
What the status of the lib?
Most of the standard is implemented and I’ll keep maintaining the lib. If you have an authenticator, feel free to test the demo app and fill an issue if it doesn’t work.
There are also a lot of things to rework and complete on it, such as implementing new crypto algorithms which are not supported by the core Erlang libraries (RSA PSS, Edwards curves…). Extensions are not supported neither. Pull requests are welcome!
Besides, the FIDO Alliance (that makes the FIDO standard) has released a test suite but it’s not working on Linux as of today.
Last but not least, its security has not been reviewed by anyone other than me, so as long as it has not been thoroughly checked by other experts, use it at your own risks. It also raises the question of open-source security libs that are actually never reread…
- Implementing the “Android Key attestation statement format” (one of the 6 attestation formats), I had to parse an ASN1 record (whose schema in the Google doc is malformed) from an X509 certificate custom extension, itself stored in a CBOR map. That was the hell of a ride, but not as much as the delicious Trusted Platform Module part 2 PDF doc
- I noticed my computer had an SD slot while watching the demo video
It’s my first lib in Elixir, and I really enjoy the language. Binary pattern matching was particularly useful for this lib, it’s dead simple and so readable.
Here are a few resources that might be helpful:
Introduction to WebAuthn API