What is FIDO2 WebAuthn?

And why you need to seriously consider WebAuthn for your organization

August 11, 2020

By Dusan Vitek, Director, Product Marketing, SecureAuth

WebAuthn is a new authentication standard allowing users to securely login without having to enter any password. The technology is enabled via built-in biometric sensors now shipping with almost every modern laptop or smartphone, or modern hardware tokens. When a user logs into a website (this can be your organization’s SSO Portal), the login page will prompt the user to touch the fingerprint reader, instead of requesting a password. The process is much easier for the user versus typing a code obtained from Google Authenticator, yet it provides the same level of high security.  

Why is this important for your organization? WebAuthn puts you on the most user-friendly path to password-less authentication. Your users already use password-less authentication in their personal life, often several times a day, by unlocking their iPhones with Touch ID or Face ID. WebAuthn helps you bring this familiar, frictionless experience to workplace login — just a single touch on the scanner, no need to look for a phone to accept a push notification or, even worse, type a code from Google Authenticator.

Touch ID FIDO2 laptop

How difficult is it to deploy WebAuthn? 

WebAuthn is a modern authentication protocol and therefore requires modern software and hardware to enable its functionality. You need to consider several things: 

  • Hardware: WebAuthn will run on Windows Hello devices, an Apple MacBook with Touch ID, Android mobile devices, or via a security key such as YubiKey 5 Series with FIDO2 WebAuthn support. 

  • Software: All major browsers released in 2020 now support WebAuthn.  

  • Identity provider: Your IAM solution must support WebAuthn authentication in its workflow. Many cloud-based Identity as a Service (IDaaS) and cloud IAM solutions, such as SecureAuth, now have built-in support for FIDO2 WebAuthn. 

Now, all you need to do is to add WebAuthn to a menu of allowed MFA methods by your organization and ask your users to enroll their Touch ID or Windows Hello devices. If they have previously enrolled an OTP app such as Google Authenticator, the process should feel quite familiar. And with two options—WebAuthn-compliant devices and a mobile app authenticator—you will provide enough flexibility for your users to authenticate even if they lose their laptop or phone.  

Once every user has two or more second factors for authentication, you can turn your focus and attention to going password-less – and removing the friction created by passwords from your organization. To get started, explore how your IAM solution allows you to configure authentication policies (sometimes called security policies or user policies). You will want to either modify or build new authentication workflows where instead of a password the user is prompted for WebAuthn (Touch ID or Windows Hello) or some other factor. 

With FIDO2 WebAuthn, you will make the login journey easier for all your users, improving the user experience without compromising security.  Oh yeah... there’s one benefit for you, and it’s a big one: the dreaded “password reset” will go away for good. And with it, your help desk will have the time to work on real issues.

 

How to get started  
Try WebAuthn in SecureAuth now.

 

Blog series 
SecureAuth introduces passwordless login with WebAuthn and a new defense against password attacks
Your fingerprint may be your best choice for secure SSO login – and the easiest

Learn more 
Follow us on Twitter at @SecureAuth, on LinkedIn at linkedin.com/company/secureauth-corporation/ and or bookmark our blog at secureauth.com/blog. 

Suggested reads

Ready for a Demo?

Eliminate identity-related breaches with SecureAuth!