WebAuthn authentication principle

Enterprise 2023-06-05 21:15:45 views: null

WebAuthn is a web standard developed by W3C, its purpose is to allow users to use public key encryption to authenticate web applications and services. WebAuthn is a core component of the FIDO2 project, which is jointly directed by the FIDO Alliance and W3C.

The principle of WebAuthn is that when a user registers or logs in to a website, the website will send a challenge to the user's browser, and the browser will pass the challenge to the user's authenticator, which is an executable An abstract functional model of a cryptographic operation, which can be implemented in software or hardware. The authenticator will generate a pair of public key and private key according to the challenge and the information of the website, and send the public key and some other information (such as authenticator type, user verification method, etc.) back to the website as credentials for registration or login. The private key is stored in the verifier and will not be leaked.

The authenticator can be a platform authenticator built into the device, or a roaming authenticator connected to the device through USB, Bluetooth, NFC, etc., which is a common security key. Platform authenticators can often leverage on-device biometric or screen lock features to authenticate users, such as fingerprints, facial recognition, PINs, passwords, or graphics. Roaming authenticators require the user to press a button or touch a key to indicate user presence.

The advantage of WebAuthn is that it does not require the user to remember or enter a password, nor does it require the user to provide personal information or a phone number, etc. It prevents phishing attacks because an attacker cannot forge information about a website to trick a validator. It also prevents malware attacks because the private key is not exposed to software running on the device.

The first and second versions of the WebAuthn standard were released as W3C Recommendations on March 4, 2019 and April 8, 2021, respectively. The third edition of the standard is currently in the draft stage (First Public Working Draft).

Security Principles of WebAuthn

The security principle of WebAuthn is based on public key encryption, which can protect the user's private information and verification process.

Specifically, the security principles of WebAuthn include the following aspects:

Challenge/response mechanism: When a website asks a user to register or log in, it sends a randomly generated number, called a challenge, to the user's browser. The browser will pass the challenge to the user's verifier, and the verifier will sign the challenge with the private key, and send the signature and public key information back to the website. The website can use the public key to verify the validity of the signature and confirm whether the user has the corresponding private key. This mechanism prevents replay attacks because each challenge is different and can only be used once.

Origin Verification: When a validator signs a challenge, it also includes the origin information of the website, such as domain name, protocol, and port. This information allows the website to confirm that the user is operating on the correct website, rather than being tricked by a phishing website. Origin verification prevents phishing attacks because an attacker cannot forge a website's origin to fool a validator.

Private key protection: The private key generated by the validator is stored in the validator and will not be leaked or transmitted to any other party. The private key can only be used after the user has passed a certain verification method (such as fingerprint, face recognition, button, etc.). Private key protection prevents malware attacks because software running on the device cannot access or steal the private key.

Privacy protection: The public key generated by the authenticator is associated with a specific website and will not be shared or reused for other websites. This means that different websites cannot track or identify users through the public key. In addition, the authenticator will not store or disclose the user's personal information, such as name, phone number, email, etc. Privacy protection can prevent identity theft (identity theft) or personal data leakage (data breach).

Workflow of WebAuthn

The workflow of WebAuthn can be roughly divided into two stages:

  • registration
  • Authentication.

The registration phase is carried out when the user uses the authenticator for the first time, and the purpose is to generate a pair of public and private keys for the user, and send the public key and other information to the website as the user's credentials. The authentication phase is performed every time the user logs in or verifies the identity. The purpose is to sign the challenge sent by the website with the private key, and send the signature and other information to the website, so that the website can verify whether the user has the corresponding private key. . The following is the workflow diagram of WebAuthn and a detailed introduction of each step:

  • Registration phase:

      1. The user selects the option to register or add an authenticator on the website, and provides some basic information, such as username, email, etc.
      1. The website sends a registration request to the user's browser, containing a randomly generated number (the challenge), the origin of the website, the user's information, options for the authenticator, etc.
      1. The browser passes the registration request to the authenticator of the user's choice and prompts the user for an authentication method, such as fingerprint, facial recognition, button, etc.
      1. The validator generates a pair of public and private keys based on the registration request, and signs the challenge with the private key. The private key is stored in the validator and will not be leaked. The public key and other information (such as authenticator type, user authentication method, credential ID, etc.) form a public key credential (public key credential) and send it back to the browser.
      1. The browser sends the public key certificate to the website as a signal that the user's registration or adding an authenticator is complete.
      1. The website uses the public key to verify the validity of the signature and confirms that the public key certificate matches the registration request. If successful, the website stores the public key credentials on the server, associated with the user's account.

  • Authentication phase:

      1. A user selects the option to log in or authenticate on a website and provides some basic information such as username, email, etc.
      1. The website sends an authentication request to the user's browser, containing a randomly generated number (the challenge), the origin of the website, the user's information, options for the authenticator, etc.

Guess you like

Origin blog.csdn.net/sinat_15735647/article/details/129742204
Recommended
Linus is the most active in "eating dog food"!
Ranking
Share good programmer web front-end array and sorting, de-duplication and random roll call
Compilation error caused by cv_bridge and python version problems error: return-statement with no value, in function returning'void*' [-fpe
魔众帮助中心系统 v3.1.0 首页切换器,界面优化
Die beim Millimeterwellenradar-Integrationstest aufgetretene Grube (Multiprozessbindung an einen UDP-Port verursacht Probleme)
How to suppress the "requires transitive directive for an automatic module" warning properly?
LeetCode-1743. Restore the Array From Adjacent Pairs-Analysis and Code (Java)
Summer 2019 Summer soft essay 7 workers
Python中Assert断言的使用语法和例子
LeetCode one question per day (2021-2-3 sliding window median)
Fairchild, the ancestor of semiconductors, the legend of the first trillion-dollar start-up
Daily
More
2024-05-20(5)
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)

Code World

© 2018 codetd.com