WebAuthn is a new authentication standard allowing users to securely login without having to enter any password. Built-in biometric sensors now shipping with every modern laptop or smartphone, or modern hardware tokens, all work with WebAuthn.
How does WebAuthn work? First, a user logs into a website (this can be your organization’s SSO Portal). Then, the login page will prompt the user to touch the fingerprint reader, instead of requesting a password. The process is much easier for the user versus typing a code obtained from Google Authenticator. Yet, it provides the same level of high security.
Why is this important for your organization? WebAuthn puts you on the most user-friendly path to password-less authentication. Your users already use password-less authentication in their personal life, often several times a day, by unlocking their iPhones with Touch ID or Face ID. WebAuthn helps you bring this familiar, frictionless experience to workplace login — just a single touch on the scanner, no need to look for a phone to accept a push notification or, even worse, type a code from Google Authenticator.
How difficult is it to deploy WebAuthn?
WebAuthn is a modern authentication protocol. As a result, it requires modern software and hardware to enable its functionality. You need to consider several things:
- Hardware: WebAuthn will run on Windows Hello devices, an Apple MacBook with Touch ID, Android mobile devices, or via a security key such as YubiKey 5 Series with FIDO2 WebAuthn support.
- Software: All major browsers released in 2020 now support WebAuthn.
- Identity provider: Your IAM solution must support WebAuthn authentication in its workflow. Many cloud-based Identity as a Service (IDaaS) and cloud IAM solutions, such as SecureAuth, now have built-in support for FIDO2 WebAuthn.
Set up WebAuthn in your cloud IAM
Now, you need to add WebAuthn to a menu of allowed MFA methods and ask your users to enroll their Touch ID or Windows Hello devices. If they have previously enrolled an OTP app such as Google Authenticator, the process should feel quite familiar. With two options—WebAuthn-compliant devices and a mobile app authenticator—you will provide enough flexibility for your users to authenticate even if they lose their laptop or phone.
Once every user has 2+ second factors for authentication, you can turn your focus and attention to going password-less. As a result, you will be removing the friction created by passwords from your organization. To get started, explore how your IAM solution allows you to configure authentication policies (sometimes called security policies or user policies). Either modify or build new authentication workflows where instead of a password the user is prompted for WebAuthn (Touch ID or Windows Hello) or some other factor.
With FIDO2 WebAuthn, you will make the login journey easier for all your users. You will improve the user experience without compromising security. There’s one extra benefit for you, and it’s a big one: the dreaded “password reset” will go away for good. And with it, your help desk will have the time to work on real issues.
How to get started
Try WebAuthn in SecureAuth now.
- FIDO2 (WebAuthn) global MFA settings
- Define login workflow and multi-factor methods settings in a policy