WebAuthn con FIDO Security Keys

How does the Web Authentication standard work with FIDO Security Keys?

Web Authentication, or Web Authentication, represents a revolution in the way we authenticate users online, replacing traditional passwords with physical security devices. This standard is compatible with most web browsers and uses devices approved by the FIDO Alliance, which can be security keys or biometric devices.

What is the user registration process?

The registration process is fundamental when we talk about web authentication. It involves three main entities:

1. The authenticator: Your biometric device or security key.
2. The browser: The intermediary that manages the communication between the user and the trusted source.
3. The trusted source: This can be an authorization server such as Google or Auth0.

The process flow is as follows:

• The browser sends a challenge, which is a random string, to the trusted source.
• The trusted source returns the challenge signed by the authenticator.
• The authenticator creates a public key and a private key. The private key is kept secret, while the public key is sent along with the signed challenge to the trusted source.

The trusted source will hold the public key to verify that the challenge was signed by the rightful owner and will store an authenticator identifier. Thus, a credential is created in the trusted application.

How is the login performed with FIDO Security Keys?

The login process is also simple:

• You submit your ID and the trusted source sends you a challenge to sign.
• If you sign the challenge correctly using your private key, only you can do it because the key is on your device.
• The trusted source uses the public key to verify the signature. If it is valid, access is successfully granted.

This method ensures that only you, who has the private key, can verify the login, eliminating the dependency on passwords.

How to enable Web Authentication in Auth0?

Auth0 facilitates the implementation of the Web Auth standard:

1. Go to Security in the Auth0 control panel.
2. Enable the Multifactor Auth option to implement the use of FIDO Security Keys.
3. Decide whether you want to enable verification with a PIN or a sensor.

Remember that not all keys support the PIN or sensor option, but if your key supports it, you can configure it for added security.

By saving these settings, Auth0 will require users to enable this multi-factor authentication method, significantly increasing the security of your infrastructure.

What physical security devices do you need?

Authentication under this standard requires physical devices approved by the FIDO Alliance:

• FIDO security keys
• Biometric devices such as fingerprint readers.

To explore options, I recommend you visit the UBICODE site, which offers a variety of security keys. Choosing the right device depends on your needs and the environment where you will be using it; whether for personal access or in a corporate environment.

Take the plunge and integrate these technological advances that, in addition to increasing your security, simplify your life by leaving behind the complications associated with passwords. And stay tuned, because we will continue to explore how to improve security in the next classes.