It relies on three major properties:-

• Strong - typically backed by a hardware security module.

• Scoped - credentials are tied to a domain and a device to avoid phishing.

• Attested - Key certificates for server side validation of originating authenticator.

It can authenticate a user in two possible modes depending on browser and authenticator support:-

• Password-less - The relying party supplies a credential or list of credentials which the authenticator then validates and returns a signed result. This can be used when the user is already known to the relying party to validate their presence.

• Username-less - The relying party doesn’t know who the user is and requests that the credential (or user selected credential if multiple exist) is returned to the relying party to both identify and authenticate the user.

WebAuthn is currently supported with varying feature coverage by the major browsers except Safari.

Capabilities

• Browser driven API only.

• Two API functions: create credentials, get credentials.

• Password-less & Username-less Authentication.

• User verification can be required or optional (an authenticator locally authorizes the invocation of the create or get options biometrics, PIN). It is not possible to specify if e.g. biometrics only should be used and not PIN.

• User presence can be required or optional (simple form of authorization gesture and technical process where a user interacts with an authenticator by typically touching it). When user verification is disabled then user presence is always enabled.

• The form of user verification used by the consumer is not known by the invoking party. This is defined between the consumer and the OS/hardware they are using and WebAuthn does not specify that details should be returned.

• We can supply a collection of credentials (all credentials across all devices for a known user) and the first matching credential will be returned.

Operation

The sequence diagrams below show illustrate the registration or credential creation, the password-less authentication and the username-less authentication ceremonies. (The actual data passed to and returned from the authenticator has been simplified in order to not detract from the operation for the purposes of this document)

Registering a new credential

Password-less authentication

Username-less authentication

Conclusions

WebAuthn offers clear benefits by improving security with minimal additional friction to the user experience in some scenarios and actually reduces friction in others. However, adding WebAuthn functions leads to a number of architectural headaches due to the domain-limitation imposed by WebAuthn.

Advantages

• More secure than OTP

• Faster login than OTP

• Could add transaction authorisation step up with minimal UX friction. Could be viewed as positive friction.

• Transaction auth via WebAuthn has the potential to feed into 3DS2 to further reduce friction.

• Better perceived security (consumer confidence)

Disadvantages

• New device login situation worse - Still needs OTP but then adds friction by adding WebAuthn credential creation on top.

• Requires introduction of shared domain and management thereof to be usable.

Limitations:

• Needs to be introduced in conjunction with shared domain to make workable.

• Still need OTP as fallback and before credential creation.

• No widespread browser/device coverage right now.

• Credentials bound to a device so need at least one credential per device.

• Right now WebAuthn is an add-on only because of OS/Browser/Device coverage.