By Dusan Vitek, Director, Product Marketing, SecureAuth
WebAuthn is a new authentication standard allowing users to securely login without having to enter any password. The technology is enabled via built-in biometric sensors now shipping with almost every modern laptop or smartphone, or modern hardware tokens. When a user logs into a website (this can be your organization’s SSO Portal), the login page will prompt the user to touch the fingerprint reader, instead of requesting a password. The process is much easier for the user versus typing a code obtained from Google Authenticator, yet it provides the same level of high security.
Why is this important for your organization? WebAuthn puts you on the most user-friendly path to password-less authentication. Your users already use password-less authentication in their personal life, often several times a day, by unlocking their iPhones with Touch ID or Face ID. WebAuthn helps you bring this familiar, frictionless experience to workplace login — just a single touch on the scanner, no need to look for a phone to accept a push notification or, even worse, type a code from Google Authenticator.
How difficult is it to deploy WebAuthn?
WebAuthn is a modern authentication protocol and therefore requires modern software and hardware to enable its functionality. You need to consider several things:
Hardware: WebAuthn will run on Windows Hello devices, an Apple MacBook with Touch ID, Android mobile devices, or via a security key such as YubiKey 5 Series with FIDO2 WebAuthn support.
Software: All major browsers released in 2020 now support WebAuthn.
Identity provider: Your IAM solution must support WebAuthn authentication in its workflow. Many cloud-based Identity as a Service (IDaaS) and cloud IAM solutions, such as SecureAuth, now have built-in support for FIDO2 WebAuthn.
Now, all you need to do is to add WebAuthn to a menu of allowed MFA methods by your organization and ask your users to enroll their Touch ID or Windows Hello devices. If they have previously enrolled an OTP app such as Google Authenticator, the process should feel quite familiar. And with two options—WebAuthn-compliant devices and a mobile app authenticator—you will provide enough flexibility for your users to authenticate even if they lose their laptop or phone.
Once every user has two or more second factors for authentication, you can turn your focus and attention to going password-less – and removing the friction created by passwords from your organization. To get started, explore how your IAM solution allows you to configure authentication policies (sometimes called security policies or user policies). You will want to either modify or build new authentication workflows where instead of a password the user is prompted for WebAuthn (Touch ID or Windows Hello) or some other factor.
With FIDO2 WebAuthn, you will make the login journey easier for all your users, improving the user experience without compromising security. Oh yeah... there’s one benefit for you, and it’s a big one: the dreaded “password reset” will go away for good. And with it, your help desk will have the time to work on real issues.
How to get started
Try WebAuthn in SecureAuth now.