WebAuthn 101 - Demystifying WebAuthn

Conference:  BlackHat USA 2019



WebAuthn is a solution to the problem of weak passwords and insufficient multi-factor authentication. It allows for built-in web authentication using biometrics and platform authenticators.
  • Passwords are not enough to protect against data breaches and credential leaks
  • Multi-factor authentication is still not sufficient to prevent phishing attacks
  • WebAuthn provides a solution by allowing for built-in web authentication using biometrics and platform authenticators
  • The process is simple and straightforward, involving creating a public key and verifying the user's identity through biometrics
  • WebAuthn can be used on both mobile and desktop devices, and can be linked between native apps and web applications
Yahoo Japan has seen a reduction in authentication time by 37.5% after implementing WebAuthn, and Google has also seen a reduction in failure rates and time spent on password-based authentication


Five years later and we're finally at the finish line: Proposed recommendation for W3C WebAuthn. This talk will go into some detail on the use cases WebAuthn sets out solve, how we got here, what's ready for implementation today and what's coming. *Any* service implementing authentication should take note.At Google I'm in the unique position to be part of the standards body, heading the team doing the implementation in platforms (Chrome, Android, CrOS) and responsible for our internal implementation so I have a pretty a unique perspective on this work.



Post a comment

Related work