Summary of "Web Security - Lecture 14 - WebAuthn - The future of user authentication - Lucas Garron"

Summary of “Web Security - Lecture 14 - WebAuthn - The future of user authentication” by Lucas Garron

---

Main Ideas and Concepts

Introduction to Lucas Garron and Background

• Lucas Garron is a security engineer with experience on the Chrome security team, having worked on bad SSL site detection and HTTP Strict Transport Security.
• He currently works at GitHub focusing on WebAuthn.
• Emphasizes the responsibility involved in security and privacy work, especially considering ethical concerns such as GitHub’s controversial contracts.

Importance of Security and Privacy

• Security and privacy are critical, particularly for vulnerable users with limited devices or resources.
• Traditional threat models (e.g., technical hacking) are expanding to include nuanced social threats like domestic abuse.
• Apple’s privacy initiatives are highlighted as a positive example, focusing on device-side security rather than cloud centralization.

Problems with Passwords

• Passwords remain vulnerable to phishing and reuse attacks.
• Although password strength measurement tools exist, many passwords are leaked and reused.
• Password managers and passphrases (random words) help but are not universally adopted.
• WebAuthn offers alternatives to passwords, aiming to replace or augment them.

Authentication Factors and Why to Move Beyond Them

• Traditional factors include:
  • Something you know (password, security questions).
  • Something you have (security keys, tokens).
  • Something you are (biometrics like fingerprint, face).
• WebAuthn abstracts these factors into a cryptographic interface, reducing complexity.
• Factors are not always clear-cut; many authentication methods don’t fit neatly into these categories.
• WebAuthn uses public key cryptography to securely bind authentication to a device or credential.

WebAuthn API Overview

• Two main JavaScript API calls:
  • navigator.credentials.create() — for registering a credential.
  • navigator.credentials.get() — for authenticating.
• Underlying data structures are complex (JSON, CBOR, base64url encoding).
• WebAuthn supports a variety of authenticators:
  • Physical security keys (USB, NFC, Bluetooth).
  • Platform authenticators (fingerprint, face unlock on devices).
• Resident keys (credentials stored on the device) provide stronger security guarantees.

Demonstrations and Usage

• Security keys (e.g., YubiKeys) and platform authenticators (Touch ID, Windows Hello) can be used for registration and login.
• Passwordless or username-less login is possible using biometric or device-based authentication.
• Cross-device syncing (e.g., Apple iCloud Keychain) could improve recovery and usability but raises trust and privacy questions.

Account Recovery Challenges

• Losing physical security keys can lock users out.
• Backup methods (SMS, backup codes, TOTP) are still necessary but have trade-offs.
• Recovery remains an unsolved problem, balancing usability and security.
• Tying recovery to trusted services (e.g., Apple iCloud) is a promising approach but depends on trust in those providers.

Comparison of Authentication Factors

• Email-based resets are weak factors because control of email grants full account access.
• Bank security images are not real factors; they only confirm the server’s identity but are vulnerable to man-in-the-middle attacks.
• SMS codes are convenient but insecure and phishable.
• Time-based One-Time Passwords (TOTP) are better than SMS but have usability and backup issues.
• Hash-based OTPs exist but are rarely used due to complexity.
• Password Authenticated Key Exchange (PAKE) protocols provide cryptographic proof of password knowledge without revealing it but are not widely implemented due to web constraints.
• RSA SecurID tokens are equivalent to TOTP but less secure than physical security keys.
• Push notifications are slightly better than SMS but still vulnerable to phishing.
• SSH keys and client certificates are used as backup/recovery factors in some contexts.

Limitations of the Traditional Factor Model

• Some authentication methods (e.g., John Conway’s mental algorithm) don’t fit neatly into “something you know/have/are”.
• WebAuthn’s abstraction allows for flexible, extensible authentication methods beyond classical factors.

Privacy Considerations

• WebAuthn aims to prevent cross-site tracking by making keys site-specific.
• Current implementations can leak some metadata (e.g., which usernames are registered on a key), but improvements are planned.
• The specification and hardware aim to reduce correlation and fingerprinting risks.

Technical Ecosystem and Terminology Confusion

• WebAuthn is part of a complex ecosystem involving:
  • WebAuthn (browser API).
  • CTAP (Client to Authenticator Protocol) versions 1 and 2.
  • FIDO U2F (Universal 2nd Factor) and FIDO2 standards.
• Terminology is confusing; “security key” is the common user term.
• Distinction between “device” as external security key vs. platform authenticator (built-in fingerprint reader) is blurry.
• Platforms brand authentication differently (Windows Hello, Touch ID, Face ID).
• No clear, user-friendly terminology exists yet for these new authentication methods.

Future Directions and Open Problems

• Need better user-facing terminology and education.
• Improving account recovery mechanisms without compromising security.
• Enhancing privacy protections in the WebAuthn ecosystem.
• Making WebAuthn easier to implement for developers.
• Encouraging broader adoption beyond tech-savvy users.

---

Methodology / Key Instructions for Using WebAuthn

Basic WebAuthn API Usage

1. Register a credential:
   • Call navigator.credentials.create() with public key options.
   • User interacts with authenticator (e.g., taps security key or uses fingerprint).
   • Send the credential data to the server for registration.
2. Authenticate:
   • Call navigator.credentials.get() with options.
   • User verifies presence (touches key, biometric verification).
   • Send assertion to server for verification.

Security Key Features

• Use resident keys to store credentials securely on device.
• Use user verification (biometrics or PIN) for stronger authentication.
• Require physical presence (touch) to prevent remote attacks.

Backup and Recovery

• Encourage users to register multiple authenticators.
• Maintain secondary recovery options (SMS, backup codes, TOTP).
• Consider integration with trusted cloud services for syncing credentials.

Implementation Considerations

• Handle complex data formats (CBOR, base64url).
• Use libraries or abstractions to simplify WebAuthn integration.
• Test across browsers and platforms due to partial and varying support.
• Educate users on the benefits and usage of security keys and platform authenticators.

---

Speakers / Sources Featured

• Lucas Garron – Guest lecturer, security engineer at GitHub, former Chrome security team member, expert on WebAuthn.
• Other figures and entities mentioned:
  • Mehran Sahami (Stanford professor).
  • Emily, Liam, Chris (former co-workers).
  • Apple (referenced for privacy efforts).
  • Patrick (Lucas’s manager, mentioned regarding recovery issues).
  • John Conway (mathematician, referenced in analogy).
  • Various companies and services: GitHub, Google, Dropbox, Microsoft, PayPal, Duo Security, Yubico.

---

This lecture provides a comprehensive overview of WebAuthn, its motivations, technical details, and the broader context of user authentication challenges and solutions on the web. It emphasizes the move beyond passwords and traditional factors towards a more secure, user-friendly, and privacy-conscious future.

Category

Educational

---

Share this summary

Share on X/Twitter Share on Facebook Share on LinkedIn Share on Reddit Share on WhatsApp Share on Telegram

---

Is the summary off?

If you think the summary is inaccurate, you can reprocess it with the latest model.

Reprocess summary

Video