Skip to content

WebAuthn#

WebAuthn (short for Web Authentication API) is a specification written by the W3C and FIDO, with the participation of Google, Mozilla, Microsoft, Yubico, among others. The API allows servers to register and authenticate users using public key cryptography instead of a password. From the description in the Guide to Web Authentication ⧉:

[WebAuthn] allows servers to integrate with the strong authenticators now built into devices, like Windows Hello or Apple’s Touch ID. Instead of a password, a private-public keypair (known as a credential) is created for a website. The private key is stored securely on the user’s device; a public key and randomly generated credential ID is sent to the server for storage. The server can then use that public key to prove the user’s identity.

The public key is not secret, because it is effectively useless without the corresponding private key. The fact that the server receives no secret has far-reaching implications for the security of users and organizations. Databases are no longer as attractive to hackers, because the public keys aren’t useful to them.

WebAuthn is part of the FIDO2 framework, which is a set of technologies that enable passwordless authentication between servers, browsers, and authenticators. As of January 2019, WebAuthn is supported on Chrome, Firefox, and Edge, and Safari.

More information available in https://webauthn.guide ⧉.

Registration Flow#

Screenshot showing a user navigating to a website for WebAuthn registration.

Info

Diagram retrieved from https://auth0.com/blog/introduction-to-web-authentication/ ⧉

Authentication Flow#

Screenshot showing a web authentication flow diagram illustrating the interaction between a user's device and a relying party's website.

Info

Diagram retrieved from https://auth0.com/blog/introduction-to-web-authentication/ ⧉

Registering a device in Security Portal#

There are two ways to register a device in the SecurityPortal using the WebAuthn strategy:

Registering during Login#

  1. If a user is successfully authenticated in SecurityPortal, a new step will appear when accessing the MES for the first time, asking the user to register the device that they are currently at as a authentication device:

    Screenshot showing the registration prompt during login process.

  2. Pressing the No, thanks button skips this step and allows the user to proceed with the login flow. Pressing the Yes, use this device will allow the user to register their device using the WebAuthn technology. In the following screenshot this registration used the Windows Hello technology with a PIN input, but this could be configured to use a fingerprint reader, a face recognition mechanism or a USB key.

    Note

    Please consult your device documentation to see what types of authentication methods are available for use.

    Screenshot showing a Windows Security prompt asking "To orritinal Making sure it's you" during the registration process.

  3. After registering the WebAuthn device, your browser may request permissions to allow the Security Portal site to access the device:

    Screenshot showing a browser permissions request for accessing a WebAuthn device.

  4. Please grant access to the browser in order to finish the registration process.

    Info

    This step only appears once for each combination of user and browser. In other words if the same user attempts to login with the same browser this "device registration" step will not appear.

Registering after Login#

If the user doesn't register the browser during the login phase, it is also possible to do so from the User page within the MES:

  1. Navigating to the User page, scroll down to the Device section:

    Screenshot showing a user interface with an administrator login prompt and device registration options.

  2. In the Device section you can find a Register dropdown button showing the possible ways through which the user can register their device:

    Screenshot showing the Register dropdown menu in the Device section, listing possible registration methods.

  3. Clicking on the WebAuthn link will open a new tab in the browser, allowing the user to register their device:

    Screenshot showing the WebAuthn registration process in a new browser tab.

  4. By pressing the Add Device button the user will be able to add the device as an authentication device.

    Info

    This page implements the same WebAuthn technology as previously discussed in the registration page, shown when the user authenticates in Security Portal using a new browser. This means that the registration can be done, among other ways, via a fingerprint reader, face recognition or USB key. Please consult your device's documentation to see what style of authentication are available for your device. The Windows Hello technology will be used in the screenshots shown in this guide:

    Screenshot showing the Windows Security window with a prompt for registering after login.

  5. After registering the WebAuthn device, your browser may request permissions to allow the Security Portal to access the device. Please grant access to the browser in order to finish the registration:

    Screenshot showing a WebAuthn registration process, with a browser requesting permissions to access the Security Portal.

  6. A message is shown on the screen to inform the user that the device has been registered successfully:

    Screenshot showing a successful registration confirmation with the label "Thal Critical".

Performing passwordless authentication in Security Portal#

In order to authenticate a user using a previously registered device, perform the following steps:

  1. In the Security Portal interface select the strategy that was configured as a WebAuthn strategy. In the following screenshot this was the WebAuthn strategy:

    Screenshot showing the selected authentication strategy in the Security Portal, labeled "WebAuthn"

  2. In the WebAuthn login page write the name of the user to login in the input field and press Login:

    Screenshot showing a WebAuthn login page with an input field for entering the username.

  3. Authenticate your device. As indicated before, the Windows Hello technology is used to authenticate the device via a PIN in this guide but other technologies could be used. Please consult your device documentation to see what style of authentication are available for use:

    Screenshot showing the Windows Security window with an error message.

  4. After the device is authenticated, the user is redirected to the MES interface.

    Info

    If a user is accessing the MES system using a browser that they had already registered as a WebAuthn authentication device, steps 1 and 2 are performed automatically by the system with no need for user interaction. In this scenario, the Windows Hello window is automatically displayed to the user and they only need to validate their device in order to access the MES interface.