Securing Web Services with WebAuthn

The YubiKey 5 and Security Key support the WebAuthn protocol. No hardware configuration or registration is required by customers to use their YubiKeys with a website or service using WebAuthn. Further, modern browsers support WebAuthn, removing the requirement to set up the WebAuthn framework when using a web-based site or service.

FIDO2 / WebAuthn

FIDO2 / WebAuthn Overview

Developers looking to add FIDO2 / WebAuthn support will need to implement a WebAuthn Server. Yubico offers a number of libraries, but also guidance on both how they work, how to implement them and best practices.

Developer Guidance:

Selecting the FIDO2 / WebAuthn library

If a U2F implementation is already in place, the best path is to transition to WebAuthn. The first choice a developer should make once they start integrating FIDO2 / WebAuthn is to choose which language to implement the WebAuthn server in, based on your current web infrastructure. Yubico offers WebAuthn servers in the most common languages; each implementation is functionally equivalent. The servers can be accessed at:

Yubico WebAuthn Libraries:

Understanding the FIDO2 / WebAuthn Flow

Once the server language has been selected, it is important to get an understanding on how the WebAuthn server will interact with the rest of the user authentication framework. There are a number of pages which can assist in explaining the Yubico WebAuthn server flows, unique WebAuthn security features, such as Attestation, and how to best connect the WebAuthn functions to an existing user database.

Using a WebAuthn Library:

FIDO2 / WebAuthn Authentication Options

When the WebAuthn server is set up and verified with basic flows, developers may want to consider some advanced user options. Resident Keys allow for passwordless authentication, while User Verification allows for stronger proofs of user identity when authenticating.

WebAuthn Features:

FIDO2 / WebAuthn Implementation

As with other authentication solutions, developers have considerations outside of the authentication flow which should be reviewed. Federation allows for a WebAuthn authentication flow to secure other sites or services with no additional friction. Account Recovery should also be a consideration when planning the final authentication flow.

Authentication Considerations:

FIDO2 / WebAuthn Best Practices and Compliance

After creating a FIDO2 / WebAuthn solution, integrators can review it against open standards to make sure it is future proof, or can be certified for public use. Yubico offers guides to make sure a solution is both complete and ready for public exposure.

WebAuthn Solution Reviews:

FIDO2 / WebAuthn on Mobile Platforms

Mobile devices, like tablets or smart phones, make up an increasing percentage of the primary methods used for accessing the web. Mobile Browsers which support WebAuthn requires no additional code on the integrator’s side to be used on a mobile platform. However, the are options available when implementing FIDO which can offer options for the user experience on mobile devices.

Mobile Platform Resources: