1

The Web Authentication API allows websites served via HTTPS to allow users to authenticate via asymmetric encryption. The procedure for login is basically the following:

  1. Server sends a challenge (16 random bytes);
  2. Client signs the challenge;
  3. Client sends the signature.

How is this better than password-based authentication?

MDN says:

This resolves significant security problems related to phishing, data breaches, and attacks against SMS texts or other second-factor authentication methods [...]

I don't understand how it prevents phishing or attacks against 2FA methods. Data breach consequences are not reduced if the passwords are properly hashed and TLS already ensures that a man-in-the-middle can't steal the password nor perform replay attacks, right?

D. Pardal
  • 133
  • 6
  • 1
    see https://blog.cloudflare.com/cloudflare-now-supports-security-keys-with-web-authentication-webauthn/ – mti2935 Oct 29 '20 at 17:58
  • Thanks for the link, @mti2935. It is indeed useful for external authenticators, where you can plug them to any computer and that computer can only login while it has access to the authenticator device. – D. Pardal Oct 29 '20 at 18:24

1 Answers1

3

WebAuthn essentially protects against phishing.

An attacker can create a fake website (of your bank, for example) and convince you to enter your password on the fake website. Then, the attacker can freely replay it to the real website of the bank.

Same applies for SMS One-Time Passwords (often used as a second factor). For instance, an attacker can impersonate an employee of the bank on the phone and ask you for the SMS code you've just received.

WebAuthn registration bounds the credential to the domain name of the legitimate site. An attacker, which doesn't own this domain name, cannot in any circumstance get a valid WebAuthn authentication response (and replay it on the legitimate site) from a fake website because of that.

Tangui
  • 403
  • 2
  • 6