Authentication is a sneaky problem - the most secure options don't usually have widespread adoption, especially among consumer applications. But what if we could fix that? Narrator: we can. WebAuthn is a somewhat new authentication standard that uses our everyday devices like phones and computers and turns them into phishing-resistant security keys. It almost sounds too good to be true. This talk will dig into how the technology works, when you can and should use it, and how to get started. We'll dig into why this isn't widely adopted yet and if or when we can expect it to be. You'll walk away with a better understanding of a new authentication channel and possibly some hope for a more secure future.

1. Everything you
want to know about
WebAuthn
Kelley Robinson

3. Everything you
want to know about
WebAuthn
Kelley Robinson

4. © 2020 TWILIO INC. ALL RIGHTS RESERVED.
krobinson@twilio.com
👋👩💻🔐
Kelley Robinson
@kelleyrobinson

5. TABLE OF CONTENTS
1. What is WebAuthn?
2. How WebAuthn works
3. Advantages
4. Obstacles
5. How to get started with
WebAuthn

6. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
What is WebAuthn?

7. What is WebAuthn?
"Web Authentication"
• Browser API for passwordless authentication
• Strong authentication using public key cryptography
• Specification developed by W3C and FIDO Alliance
• Scoped, site specific credentials
image source: https:/
/webauthn.guide/

8. Authenticator types
WebAuthn Spec Name Authenticator Examples
"Platform Authenticator"
Built into the
computer/phone
Windows Hello, fingerprint
reader, Face ID
"Roaming Authenticator" External security keys Yubikey, Titan Security Key
https://www.w3.org/TR/webauthn/#table-authenticatorTypes

9. FIDO Alliance
• Develops technical specifications for non-password
based authentication
• Certifies technology that meets specs

10. Relying party (RP) - business /
organization / website
CTAP - Client to Authenticator Protocol
U2F (=CTAP1) - Universal second factor
FIDO2 - WebAuthn + CTAP2
Terminology

11. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
HOW WEBAUTHN WORKS

12. Registration
User initiates new account registration
Server sends data to connect website + user to the credential
WebAuthn API prompts user to create a key pair, user chooses authenticator
Authenticator generates key pair bound to website + user data,
sends public key to the server
Server confirms registration, stores public key

13. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
REGISTRATION DEMO

14. Registration security
• Private key never leaves authenticator
• Biometric data never leaves authenticator
• Only public key and attestation are sent to server

15. What is attestation?
• Information about the authenticator being used
• Options: none, indirect, direct, enterprise
• Not required by default
Enables:
• allow-list of approved authenticators
• deny-list of known flawed authenticators
https:/
/www.w3.org/TR/webauthn/#enum-attestation-convey
https:/
/developers.yubico.com/WebAuthn/Concepts/Securing_WebAuthn_with_Attestation.html
https:/
/www.chromium.org/security-keys

16. Authentication
User initiates login
Server initiates challenge
Authenticator signs challenge with private key and sends to the server
Server verifies signature with the public key
Login approved or denied

17. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
AUTHENTICATION DEMO

18. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
ADVANTAGES

19. FEWER PASSWORDS

20. Phishing resistant
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
Scoped credentials protect phishing targets

21. "Databases are no longer targets
because public keys are useless without
the corresponding private keys."
Yubico

22. Push 0.029 -0.204 113 (-0.374, -0.020)
U2F <0.003 -0.269 118 (-0.429, -0.093)
Codes 0.426 -0.076 110 (-0.260, 0.113)
understand their background and feelings about online secu-
rity. With the consent of each participant, we recorded the
audio of each interview. Two coders listened to the record-
ings and coded each interview, discussing each response until
reaching agreement. Common themes identified from the
recordings are discussed in section 5.2.
4.8 Compensation
Participants were compensated a maximum of 25 USD after
their participation in the study according to a tiered compen-
sation structure based on the total number of tasks completed
through the banking interface.
5 Two-week Study Results
5.1 Quantitative Results
5.1.1 Timing Data
We measured both the time for the password login and the time
Figure 2: Time to authenticate for five 2FA methods
https://www.usenix.org/system/files/soups2019-reese.pdf
Duo 2019 State of the Auth Report
Speedy
• U2F has fastest median
authentication time
• Compared to SMS, U2F saves a user
18.2 minutes annually

23. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
OBSTACLES

24. Incomplete browser support
87.39% support
https://caniuse.com/?search=webauthn

25. Limited authenticator
availability
• Roaming authenticators are expensive
• Platform authenticators are not ubiquitous

26. Check your browser &
device compatibility:
twil.io/webauthn

27. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
COMPATIBILITY DEMO

28. https:/
/www.okta.com/businesses-at-work/2021/#developers-at-work

29. https://github.com/duo-labs/py_webauthn/blob/master/webauthn/webauthn.py
New technology
• Limited documentation and sample apps
• Nascent library support
• Cryptography can be scary

30. N=31 %
Google
Success 26 83%
Correctly identified completion 22 70%
Failure 5 16%
Facebook
Success 10 32%
Correctly identified completion 6 19%
Failure 21 67%
Registered YubiKey without enabling 2FA 12 38%
Windows 10
Success 12 38%
Set up the Windows Logon Authorization Tool 5 16%
Set up YubiKey for Windows Hello 7 22%
Failure 19 61%
Failed to set up the Windows Logon Authorization Tool 9 29%
Failed to set up YubiKey for Windows Hello 5 16%
Locked out of the computer 6 19%
TABLE I
LABORATORY STUDY SUCCESS RATES
F
k
th
t
l
r
a
t
p
t
n
https://isrl.byu.edu/pubs/sp2018.pdf
Factor registration
Onboarding UX impacts users' success

31. https://www.usenix.org/system/files/soups2019-reese.pdf Figure 3: SUS scores for five 2FA methods.
"Faster authentication does not
necessarily mean higher usability"
Factor usability

32. Account Recovery
https:/
/twitter.com/p1nt1nh0/status/1369637197394153474

33. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
HOW TO GET STARTED

34. webauthn.guide

35. codelabs.developers.google.com/codelabs/webauthn-reauth

36. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
BEST PRACTICES

37. Embrace fallback options
Prepare for:
• Lost/unavailable authenticator
• Biometric authenticator not working
when a user's finger is wet or wearing
a mask
https:/
/github.com/settings/two_factor_authentication/configure
https:/
/codelabs.developers.google.com/codelabs/webauthn-reauth#5

38. Account recovery
• Encourage adding multiple
authenticators
• Don't force users to fallback to less
secure channels, but offer fallback
options to TOTP, security codes, or
(gasp) even SMS
Cloudflare 2FA onboarding

39. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
🦄 WebAuthn is both a secure and usable account security option
👩💻 Network effects will help bolster adoption
✍ Passwords aren't going away overnight
☀ ...but there's reason for hope
Takeaways

40. @kelleyrobinson
THANK YOU

41. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
Resources
• https:/
/caniuse.com/?search=webauthn
• webauthn.guide
• webauthn.io
• Guide to FIDO2 and WebAuthn Terminology
• What is FIDO2
• Beyond Passwords: Simpler, Stronger Authentication
with FIDO2 [Video]
• fidoalliance.org/
• WebAuthn Spec
• CTAP Spec
• https:/
/developers.yubico.com/WebAuthn/
• https:/
/codelabs.developers.google.com/codelabs/
webauthn-reauth#0
• https:/
/blog.cloudflare.com/cloudflare-now-
supports-security-keys-with-web-authentication-
webauthn/
• https:/
/github.com/OWASP/SSO_Project
• https:/
/www.twilio.com/blog/detect-browser-
support-webauthn
• https:/
/github.com/robinske/webauthn-support-
check