WebAuthn: what it is, and how it works

If you have questions about WebAuthn, you’re not alone. After all, it’s not a term you hear often in casual conversation … unless you’re really into security.

Here, we’re going to unpack the term and explain how it allows developers to offer passwordless solutions. This will give you a better understanding of where cybersecurity is headed, and why so many companies including 1Password are excited by the technology underpinning it.

What is WebAuthn?

WebAuthn, or Web Authentication, is an API that gives website developers the ability to support a passwordless login experience on their websites and in apps. It’s an essential piece of software that connects those websites and apps with your chosen authenticator.

Authenticators are available in two forms:

• Roaming authenticators. These are standalone devices that are easy to carry around, like a hardware security key.
• Platform authenticators. These are built into something you already use, like your PC or phone.

The WebAuthn standard was developed by the FIDO Alliance, an open industry association that wants to reduce the world’s reliance on passwords, and the World Wide Web Consortium (W3C), a community that works together to develop new standards and guidelines for the web. 1Password is a member of the FIDO Alliance, along with some of the largest technology companies in the world including Apple, Google, and Microsoft.

How does WebAuthn work?

Right now, you likely sign in to most websites and apps with a traditional username and password. The password is usually run through a hashing algorithm, which turns it into scrambled gibberish that’s useless to any theoretical attacker. The website or app then checks that the hashed version of the password you submitted matches the hashed version stored on its server. If everything lines up, the website or app will trust you’re the account owner and allow you to sign in.

WebAuthn is a different approach. Instead of a traditional password, it uses public and private keys – otherwise known as public-key cryptography – to verify that you are who you say you are.

Unlike a traditional password, your private key is never shared with the website you want to sign in to.

Public and private keys are mathematically linked to one another. You can think of them like interlocking puzzle pieces – they’re designed to go together, and can’t be used with any other public or private keys. As the name implies, the public key can be shared publicly. In the context of WebAuthn, this means the website you want to sign in to knows and holds a copy of your public key.

The private key, meanwhile, is kept secret and safe. It’s used to decrypt data that’s been encrypted with your public key. Unlike a traditional password, it’s not shared with the website you want to sign in to. That means it’s also never stored on the website’s server.

When you create a new account using WebAuthn

Okay, so those are the basics. To understand how this works in practice, we need to break down:

• Creating a new account using WebAuthn.
• Signing in to an existing account that uses WebAuthn.

Let’s start with the former. When you create a new account with WebAuthn, your device sends a request to the website or app’s server. Your chosen authenticator – which could be your PC, phone, or a hardware security key – then generates a new public and private key pair. The public key is sent to the website or app’s server for storage, while the private key remains on your authenticator.

When you sign in to an account using WebAuthn

Now you can sign in without entering a traditional password. The website or app will issue a “challenge” to check that your authenticator has the correct private key. You can think of this challenge like a special bank check that will only be accepted if it’s signed with your one-of-a-kind fountain pen (i.e., your private key).

Your chosen authenticator “signs” the challenge using your private key and sends the completed signature to the website or app. Finally, the website or app verifies the signature using your public key, which is already stored on its server.

All of these steps happen in the background. From your perspective, you simply select the ‘sign in’ prompt on the app or website and, if required, authenticate using biometrics. And then that’s it! You’ve successfully signed in using WebAuthn technology.

The advantages of WebAuthn

WebAuthn offers a number of benefits over traditional passwords:

• Your private key is never shared with the website you want to sign in to. That means you don’t have to worry about how the website is storing your private key.

• Your public key can’t be used to figure out your private key. If a criminal breaches a website’s servers, the best they can hope to find is your public key, which can’t be used to sign in to your account.

• WebAuthn is a strong defense against phishing and social engineering attacks. Criminals will often create fake but seemingly authentic websites to try to trick you into sharing your login details. WebAuthn protects you by ensuring that you never share your credentials with untrusted websites.

• You don’t have to memorize or type your private key. However, a website might give you some backup codes to hold onto, or prompt you to create a password, just in case you lose access to your authenticator(s).

How WebAuthn relates to passkeys

WebAuthn isn’t new. The project was started in 2016, and the WebAuthn Level 1 standard was published as a W3C recommendation three years later. The API is already supported by many web browsers, including Chrome, and various hardware security keys (roaming authenticators).

But the standard has yet to go truly mainstream. Most people still use a traditional username and password for all of their online accounts. And few websites offer a passwordless login experience right now.

Some of the largest technology companies are working on a solution called passkeys, which leverage the WebAuthn standard. Passkeys allow you to seamlessly and securely sign in using your existing devices (platform authenticators). WebAuthn is already in use, however passkeys could give the standard its largest exposure to date, and boost adoption thanks to its convenience, ease of use, and added security.

The bottom line

WebAuthn is an open standard that helps make it simple and secure to sign in to your favorite websites without a traditional password. Here at 1Password, we’re excited by the standard’s potential, and are already working to integrate WebAuthn keys into our password manager. (We’ll have more to share soon!)

If you want to learn more about our thoughts on WebAuthn, passkeys, and everything else related to passwordless authentication, check out:

• Our announcement that we’ve joined the FIDO Alliance
• Our future of 1Password microsite
• This special episode of the Random but Memorable podcast, which explores all things passwordless

Nick Summers

Content Marketing Manager