Tracing the Evolving Levels of Support for WebAuthn

By Kathleen M. Moriarty, CIS Chief Technology Officer, with supporting research from Ben Carter, IoT Specialist at CIS

You've likely been hearing about the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) and wondering if you're ready to implement it in your environment. One of the reasons why it's gaining traction is because it not only helps deprecate passwords but also prevents credential theft. It does this by using public/private key pairs for multi-factor authentication (MFA), which prevents a cyber threat actor (CTA) from stealing or replaying credentials. And all while being simpler to implement than a full PKI solution. (An earlier blog covered the different types of MFA schemes and linked to an NSA evaluation of MFA solutions against the NIST Special Publication 800-63 Authentication Levels.)

WebAuthn is just one of the authentication protocols that fit into the FIDO Alliance framework enabling public/private key pair authentication across platforms and applications. The solution set evolved from Google’s Universal 2 Factor (U2F) that was first contributed to the FIDO Alliance for development and then to W3C, where WebAuthn emerged. The FIDO Alliance also developed a related authentication protocol, the Client to Authenticator Protocol (CTAP), to support non-web applications.

For authentication protocols in the FIDO Alliance Framework, each user and application combination has a unique public/private key pair where mutual authentication is performed using these keys to digitally sign challenges. Since the signed challenges pass on the wire, credentials cannot be replayed or easily captured. (You might be hearing more about secure passwordless authentication these days. Passwordless authentication is possible because of the proliferation of these standards.)

In a memo dated January 26, 2022, the Office of Management and Budget specifically called out W3C’s WebAuthn along with public key infrastructure (PKI) as one of the acceptable authentication methods for the federal government to implement by the end of fiscal year 2024 because of its phishing-resistant properties. The memo requires a zero-trust approach where MFA is required at the application layer instead of the network layer. This is a change in guidance from the model before adoption of zero-trust, with remote access or administrator-level access being more common as a sole requirement for MFA. The requirement provides incentives for vendors who have not yet integrated the standard to do so now. As a result, many applications, existing Identity and Access Management (IAM) frameworks, directory services (e.g. LDAP, ActiveDirectory), credential providers (CP), and identity providers (IDP) support WebAuthn or are planning to support the appropriate protocol in the FIDO Framework.

Determining Support for Your Environment

There are many levels of support for emerging protocols, including fully certified solutions that are listed on the FIDO Alliance Certified Products web page. W3C also promotes support of WebAuthn in products, as it works closely with client vendors to ensure wide support in web browsers, devices, and client operating systems. Some point products have support integrated at some level, but the applications aren't certified. Additionally, in many cases, a credential provider may provide support or integration through a directory service such as LDAP or ActiveDirectory. If your organization’s applications are not listed directly in one of these lists, developers and administrators should look to the following resources to determine if it is possible to close the gap for their environment:

• FIDO2: Web Authentication (WebAuthn)
• FIDO Alliance: Getting Started for Developers
• FIDO Alliance: Learn More About FIDO Authentication
• W3C Web Authentication Standard
• Overview Video of WebAuthn

There are a large number of products that support WebAuthn and other standards in the FIDO Framework. W3C worked diligently with browser vendors and other client application vendors to ensure that access using these standards would be possible from most devices and systems. The data provided by the FIDO Alliance and W3C on support are regularly updated; however, it is not necessarily connected in a way that is easy for organizations to determine if all the products they care about most in their environments have support.

As such, the Center for Internet Security (CIS) conducted market research to determine if we could bridge that gap minimally as a point-in-time snapshot to determine readiness for implementation. Support is grouped in categories that may help to determine if clients, applications, and devices have the support needed to move to WebAuthn and the FIDO Framework.

Identity and Credential Provider Support

Identity providers (IdP) create, store, and manage digital identities. Credential providers manage authentication credentials that can be assigned to an identity. While many organizations manage their own credentials, some can outsource these efforts to ease management. (This may be more common for some types of multi-factor authentication protocols.) In some cases, an IdP is also a credential provider. Many organizations already use a credential provider where support for newer authentication protocols such as WebAuthn is available. Additionally, several One-Time Password (OTP) solution providers have expanded to become credential providers by supporting additional authentication protocols such as WebAuthn.

The dropdown below is a table listing the credential providers discovered in our research that support WebAuthn.