11

In theory, authenticating with a public key should be much simpler than with a password. There is nothing to remember for the end-user, and registration can be done just by clicking a button. For all intents and purposes, this should be much more user-friendly than a traditional password-based authentication.

So, why is Webauthn not used everywhere? Why has it not replaced passwords already?

  • 2
    Wouldn't the end user need to be tech savvy enough to backup/transfer/secure the authentication token? – user Feb 26 '21 at 15:35
  • Excellent question, +1. Related: https://security.stackexchange.com/questions/150071/using-fido-u2f-or-similar-as-primary-authentication-method – mti2935 Feb 26 '21 at 15:45

2 Answers2

6

It is not as flexible.

I am at my friend's place and I get an alert on my phone that someone wired some money out of my bank account! I need to login to my bank's site to check whats up. But, my public key/cert is in my computer and I have not registered to the bank using my friend's machine. Or I forgot to carry my Yubikeys with me. Now what do I do to quickly login?

It does not have the necessary client support yet.

We use webauthn for some of our internal workflows in our organization. It works flawlessly for web browsers but it doesn't have the necessary support for other clients yet. For example, there are several applications that run as Desktop clients on Windows/Linux/Mac etc.

If you look at the support matrix on FIDO alliance's website, their support for some scenarios is still work in progress: enter image description here Source

Electron is a popular application framework based on Chromium browser. It doesn't have a clear answer for U2F support yet. Some users claim it works while some can't get it to work.

If your application is going to be supported outside of just a browser, then currently you don't have much choice.

One of the major device makers, Apple, joined FIDO alliance to move users away from passwords as late as Feb 2020. So, there wasn't enough urgency to even support many of the user scenarios.

It is not an easy job to replace passwords entirely
Getting rid of passwords means changing user behavior. That takes a while. Here, usability of your security mechanism plays a huge role.

Before Face ID, Biometric auth in phones and Windows Hello, there was no cheap way for general public to use anything other than passwords to login. And these are fairly recent technologies.

Mobile phones have done a great job so far of integrating separate authenticators like Swipe patterns, biometric etc to replace passwords. But till we get such easy and free technologies available to mass market for Desktop, it is going to be hard to replace the passwords.

Limit
  • 3,191
  • 1
  • 16
  • 35
2

Limit's answer explains three good reasons why this technology has not taken off just yet, but I have one more:

Developer time is limited and expensive

When companies look at what needs to be implemented in their products, most of them are not going to be interested in spending time adding additional authentication methods when they "already have perfectly serviceable methods in place". This is the same reason that many companies still don't have multi-factor authentication and/or modern password complexity requirements.

One example of a large site that does support Webauthn as a primary authentication method is eBay. Their blog post only mentions mobile devices, but I'm using it on my laptop with a fingerprint reader and Windows Hello:

Windows Hello

I write software, and I know I could implement this for my own products, except for one problem: eBay has 30,000 employees which includes a lot of developers, while the company I work for has less than a dozen developers.

Like the reasons in the other answer, this will also be resolved in time, it will just have to wait until either we get to the lower-priority TODO items or there is some reason to make it higher priority.

Moshe Katz
  • 1,331
  • 1
  • 11
  • 17