This thesis presents well-known and widely-used means for Web authentication and compares them to a new standard, WebAuthn. In this process, it focuses on consumer Web applications.
Web authentication today still relies mostly on the use of passwords, the oldest and least safe form of verification. To ensure a high level of security, passwords must be long and comprised of random characters, therefore remembering them becomes increasingly harder as their number grows. Users can solve the problem of remembering passwords by storing them in a password manager. They can also use single sign-on, which allows them to safely use single credentials to log into different applications. The weakness of both these approaches is a single point of failure, as the user and application are reliant on third-party providers. Logging in can be made more secure by adding a new element of authentication, which is available through two-factor authentication, but despite the stronger security, passwords remain a part in the process. To completely dismiss their use, mechanisms for passwordless authentication have recently been developed, but they depend on the security of an e-mail address.
None of the aforementioned means of authentication solves the problem of remembering passwords without introducing a weakness, e.g. a single point of failure. A new standard, WebAuthn, is being developed to combat this issue. It introduces stronger credentials and a few new principles in authentication. WebAuthn uses public-key-based credentials, which allows it to achieve stronger security and solve the problem of remembering passwords. With this standard, user authentication is accomplished via an external authenticator.
A part of this thesis is also an implementation a Web application, which, along with WebAuthn, implements four other common ways of authentication.
Suitability of different means of authentication depends on the threat model, but WebAuthn is immune to a wide range of attacks. If good browser support for WebAuthn is provided, it may encourage developers to widely implement the new standard in Web applications.