You’ve likely been hearing about the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) and considering whether you’re ready to implement it in your environment. One of the reasons why it’s gaining traction is because it not only helps deprecate passwords but also prevents credential theft.
It does this by using public/private key pairs for multi-factor authentication (MFA), which prevents a cyber threat actor (CTA) from stealing or replaying credentials. And all while being simpler to implement than a full PKI solution. (An earlier blog post covered the different types of MFA schemes and linked to an NSA evaluation of MFA solutions against the NIST Special Publication 800-63 Authentication Levels.)
WebAuthn is just one of the authentication protocols that fit into the FIDO Alliance framework enabling public/private key pair authentication across platforms and applications. The solution set evolved from Google’s Universal 2 Factor (U2F) that was first contributed to the FIDO Alliance for development and then to W3C, where WebAuthn emerged. The FIDO Alliance also developed a related authentication protocol, the Client to Authenticator Protocol (CTAP), to support non-web applications.
For authentication protocols in the FIDO Alliance Framework, each user and application combination have a unique public/private key pair where mutual authentication is performed using these keys to digitally sign challenges. Since the signed challenges pass on the wire, credentials cannot be replayed or easily captured. (You might be hearing more about secure passwordless authentication these days. Passwordless authentication is possible because of the proliferation of these standards).
In a memo dated 26 January 2022, the Office of Management and Budget specifically called out W3C’s WebAuthn along with Public Key Infrastructure (PKI) as one of the acceptable authentication methods for the federal government to implement by the end of the fiscal year 2024 because of its phishing-resistant properties. The memo requires a zero-trust approach where MFA is required at the application layer instead of the network layer.
This is a change in guidance from the model before the adoption of zero-trust, with remote access or administrator-level access being more common as a sole requirement for MFA. The requirement provides incentives for vendors who have not yet integrated the standard to do so now. As a result, many applications, existing Identity and Access Management (IAM) frameworks, directory services (for example, LDAP, ActiveDirectory), credential providers (CP), and identity providers (IDP) support WebAuthn or are planning to support the appropriate protocol in the FIDO Framework.
Determining support for your environment
There are many levels of support for emerging protocols, including fully certified solutions that are listed on the FIDO Alliance Certified Products webpage. W3C also promotes the support of WebAuthn in products, as it works closely with client vendors to ensure wide support in web browsers, devices, and client operating systems. Some point products have support integrated at some level, but the applications aren’t certified. Additionally, in many cases, a credential provider may provide support or integration through a directory service such as LDAP or ActiveDirectory. If your organization’s applications are not listed directly in one of these lists, developers and administrators should look to the following resources to determine if it is possible to close the gap for their environment:
- FIDO2: Web Authentication (WebAuthn)
- FIDO Alliance: Getting Started for Developers
- FIDO Alliance: Learn More About FIDO Authentication
- W3C Web Authentication Standard
- Overview Video of WebAuthn
There are a large number of products that support WebAuthn and other standards in the FIDO Framework. W3C worked diligently with browser vendors and other client application vendors to ensure that access using these standards would be possible from most devices and systems. The data provided by the FIDO Alliance and W3C on support are regularly updated; however, it is not necessarily connected in a way that is easy for organizations to determine if all the products they care about most in their environments have support.
As such, the Center for Internet Security (CIS) conducted market research to determine if we could bridge that gap minimally as a point-in-time snapshot to determine readiness for implementation. Support is grouped into categories that may help to determine if clients, applications, and devices have the support needed to move to WebAuthn and the FIDO Framework.
Identity and credential provider support
Identity providers (IdP) create, store, and manage digital identities. Credential providers manage authentication credentials that can be assigned to an identity. While many organizations manage their own credentials, some can outsource these efforts to ease management (this may be more common for some types of MFA protocols).
In some cases, an IdP is also a credential provider. Many organizations already use a credential provider where support for newer authentication protocols such as WebAuthn is available. Additionally, several One-Time Password (OTP) solution providers have expanded to become credential providers by supporting additional authentication protocols such as WebAuthn.
Table 1 lists the credential providers discovered in our research that support WebAuthn.
|Company/solution||MFA factor type||WebAuthn support|
|Auth0||Push notifications, SMS, voice, One-Time Passwords, WebAuthn with security keys and device biometrics, Email||Yes|
|CyberArk||QR Code, Push notification, PINs, Authenticator App, OTP, Phone Call, SMS, Email, Hardware Token, Biometric||Yes|
|Duo||Duo Push, WebAuthn, Biometrics, Tokens, Passcodes||Yes|
|Google Cloud||Hardware security keys, phone as a security key, mobile device push notifications, SMS, and voice calls||Yes|
|IBM Security Verify||SMS/Email/Voice Callback OTP, TOTP, IMB Verify App (user presence and biometric), FIDO authenticator||Yes|
|LoginTC||Passwords, four-digit personal identification numbers, OTPs, hardware token, security key, key fob, SIM Card, Biometric||Yes|
|Microsoft Azure AD||Microsoft Authenticator app, Windows Hello for Business, FIDO2 security key, OATH hardware token, OATH software token, SMS, Voice Call||Yes|
|MiniOrange||SMS, Phone Callback, Multi-Factor Authenticator Apps, miniOrange Authenticator, Email, Hardware Token, Security Questions||Yes|
|Okta||Passwords, Security Questions, SMS/Voice/Email, Verification, FIDO Certified Hardware, WebAuthn||Yes|
|OneLogin||OTP app, email, SMS, voice, WebAuthn for biometric factors, third-party options||Yes|
|PingID/PingFederate||Mobile push, email OTP, SMS OTP, TOTP authenticator apps, QR codes, magic links, FIDO2-bound biometrics, security keys||Yes|
|RSA SecurID Access||Push-to-approve, one-time passcodes, biometrics, FIDO-based authentication||Yes|
|SailPoint||Mobile push, email OTP, SMS OTP, authenticator app,biometrics, security keys and tokens||No, needs to be paired with another solution|
Table 1 — Identity and credential providers.
VPN and VDI WebAuthn support
Before zero trust was prominent, MFA was minimally required for remote access and administrator functions. As such, assessing support on these devices is likely the first step for your organization. One way to determine if support is possible is to look at the methods used for managing the authentication of end users.
The following services or protocols are used as ways to support many types of authentications and allow for an indirect method to support WebAuthn:
- If ActiveDirectory, LDAP, or Radius is listed as supported, it may be possible to configure your virtual private network (VPN) to require WebAuthn as the MFA protocol.
- If a credential provider is used in combination with a particular application, service, or remote infrastructure log in and the credential provider supports WebAuthn, that could also be indicative of support.
- If a particular product works with a credential provider and that credential provider supports WebAuthn, the VPN product may indirectly support WebAuthn via this service.
- CIS confirmed with VMware that virtual desktop interface (VDI) support exists for browser-based access and that client-based access is a work in progress. This confirmation followed a direct request from a member.
CIS research has confirmed support for WebAuthn in the following market leader products for VPN and VDI:
Table 2 — Top VPN providers. Source.
Zero Trust Network Access products
Zero Trust Network Access (ZTNA) products provide dedicated and secure access to individual applications supporting zero-trust principles, including strong MFA and dynamic authentication. Ideally, ZTNA products would also cover the full set of tenets for zero-trust; however, for this post and research, the focus is on MFA.
ZTNA market leaders are included below along with an indication of their support for WebAuthn as an MFA method. If a product is highlighted in green, verification of support is possible and clear from the vendor or through a certification process result. Gartner assessed ZTNA market penetration in June 2022 at 5 to 20%, with an expected year-over-year growth rate of 60%. VPNs may be more prevalent today, but this should change with zero-trust adoption initiatives underway.
Table 3 — Zero Trust Network Access products. Source.
Operating system and desktop client support
Operating system support is included and mapped against the market adoption for client systems.
|Operating system||FIDO2/WebAuthn support||Browser||Platform authenticators||Roaming authenticators (FIDO certified hardware, Titan Keys, and so on)|
Table 4 — Operating system and desktop client support. Source.
Web browser and device support
The following clients support WebAuthn, providing broad coverage to enable access to applications and services.
The following devices support WebAuthn and/or CTAP.
|Desktop Browser||Version(s)||WebAuthn Support|
|Chrome||Versions 67 - 109||Yes|
|Edge||Versions 18 - 106||Yes|
|Safari||Versions 13 - 16.2||Yes|
|Firefox||Versions 60 - 108||Partial support|
|Opera||Versions 54 - 92||Yes|
|Mobile Browser||Version(s)||WebAuthn Support|
|Chrome for Android||Version 106||Yes|
|Safari on iOS||Versions 13.3 - 14.4 and Versions 14.5 - 16.1||Partial support, yes|
|Samsung Internet||17.0 - 18.0||Yes|
|Opera Mobile||Version 64||Yes|
|UC Browser for Android||Version 13.4||Yes|
|Android Browser||Version 106||Yes|
|Firefox for Android||Version 105||Partial support|
|QQ Browser||Version 13.1||Yes|
|Baidu Browser||Version 13.18||Yes|
|KaiOS Browser||Version 2.5||Yes|
Table 5 — Web browser and device support. Source.
The list of web-based applications supporting WebAuthn and FIDO can be found in this certified product list from the FIDO Alliance. Additional applications may support these protocols, or it may be possible to integrate applications for support through existing infrastructure as discussed earlier in the blog post.
Several token providers offer lists of applications that also support protocols in the FIDO Framework. As such, these links are provided to aid research on application support of WebAuthn, CTAP, and FIDO protocols:
- Hideez list of supported applications.
- Yubico list of Application and Services supporting FIDO Certified Hardware Tokens
CIS researched several cloud-based or hosted application services to determine the level of support for WebAuthn and PKI certificate-based authentication. It maintains the list in the table below.
Table 6 — Cloud-based services.
Expanding support for WebAuthn
As you’ll see from the research above, support is quite prominent for WebAuthn and related protocols in the FIDO Alliance Framework. If you are considering MFA for the first time or revising your solution set, it is a technology that will be worth the investment in terms of the protection offered and where it is on the path to adoption. WebAuthn has strong support as buyers increasingly request the protocol due to the strength of the solution and the projected longevity from sources such as the US federal government and CISA.
We’ll update our market research as the solution space evolves. In the meantime, if you see something that warrants a correction, you can get in touch with us below.
Additional information on MFA and authorization technologies can be found in the following resources:
- Why Are Authentication and Authorization So Difficult?
- Authentication and Authorization Using Single Sign-On
- Why OAuth Is So Important: An Interview with Justin Richer
- CISA Datasheet: Implementing Phishing-Resistant MFA
- CISA: Multi-Factor Authentication Overview
Kathleen Moriarty is Chief Technology Officer at the Center for Internet Security and the former IETF Security Area Director. She has more than two decades of experience working on ecosystems, standards, and strategy.
Adapted from this post on CIS Blog.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.