Cloud Series: Say Goodbye to Passwords and Usernames
If you already use passwordless authentication, then you’re going to like authentication without a username. This new capability is an extension of the FIDO 2.0 WebAuthn specification, which currently allows users to use FIDO2-compliant Security Keys. These can be external keys, such as Yubico, or in-built platform keys accessed via Touch ID or Windows Hello to authenticate instead of a password on enabled sites. The new Resident Key credential – available in both the ForgeRock Identity Platform 7.0 release and the ForgeRock Identity Cloud – will allow users to authenticate to an enabled app or website without needing to enter a username or password.
What Is WebAuthn?
The WebAuthn is a web standard published by the World Wide Web Consortium (W3C) and is an important part of FIDO 2.0, from the Fast Identity Online (FIDO) Alliance, whose members currently include Google, Microsoft, ARM, Bank of America, Mastercard, Visa, Microsoft, Samsung, LG, Dell, and RSA, among others. As part of W3C, WebAuthn is starting to gain wide adoption through native support within the latest Chrome, Firefox, Safari, and Edge browsers.
Support for Resident Keys, which provides for usernameless authentication, is currently native to Chrome and Edge and will be added to other browsers soon. This expansion of the WebAuthn protocol will be part of the ForgeRock Identity Platform 7.0 and the ForgeRock Identity Cloud. It will deliver usernameless user flows, as well as device attestation, origin domains, and richer integrations into our Intelligent Authentication framework.
Easy to Use
To start using WebAuthn, a visitor to an enabled website is offered the opportunity to create and register a token. Sites that are enabled may prompt the user to insert the physical token into a USB port or tap against on an Android phone.
Whenever the user returns to that website, an assertion is created that contains proof that the user created the private key. The server on the website then uses the public key created during registration against that assertion to verify the user. There is no longer a need for the user to provide a username and password to that site ever again from that device.
What Is a Resident Key?
A Resident Key is a password-less and username-less credential that may be stored in the browser, on the user’s device, or in an authenticator. Some have suggested a better name may be a “discoverable key” because when a user returns to an enabled website, that site would then discover the lack of or presence of any keys related to the website in the user’s browser, on the user’s device, or in an authenticator.
The user experience would be similar (although technically very different) from using single sign-on (SSO) today. A user might navigate to a login page. Instead of typing in a username or password, the user would plug in and then use an authenticator, such as an external key likeYubico or in-built platform keys accessed via TouchId or Windows Hello. The user is then logged in without the need for any further action.
Because the WebAuthn is governed by the W3C, there's more going on behind the scenes than just authentication. For example, by storing tokens on the device and not on a remote server, WebAuthn can help to provide stronger web security against phishing and man-in-the-middle attacks.
How? When a user first creates a passwordless or usernameless credential, a public key is shared with the legitimate website. If there is a phishing attack, the login process will not work; by being directed to a non-WebAuthn-enabled copy of a site, the user’s key will fail and they will be prompted to enter a username and password. This interruption of a frictionless login experience should at least alert the user that something is wrong. And by eliminating the need for users to type passwords and usernames, this should further thwart any potential password-stealing man-in-the-middle eavesdropping attacks.
To learn more about a passwordless future, ForgeRock’s Ben Goodman recently published a three-part blog series, Passwordless. The series describes how mobile phone providers were the leaders in passwordless authentication, continues with a bit more detail about FIDO 2.0 and WebAuthn, and concludes with how ForgeRock’s unique implementation allows for our ever-expanding Trust Network to add a wide range of choices of biometrics and other technologies for your customers.