Password less login using Web Authentication on windows, ios, and android browsers

4 Likes
10 months ago

What is Password less login to web applications?

 

Users access web applications securely without creating or typing a password. The modern browser provides API to create Public-key based credentials to authenticate a user with no password. It is a new type of web authentication officially ratified by W3C (World Wide Web Consortium). Major browsers Mozilla Firefox, Chrome, Edge, and Safari support this kind of authentication.

 

Why is Passwordless login important?

 

Enterprises and individuals are thriving to secure their login to web applications access over the internet which is critical for them. A popular login requirement is that the user has to remember their username and password. Enterprises mandate that all user password has to be complex. Every website requires its own set of password rules. The problem with passwords is hard to remember too many passwords and they can be stolen. 2FA will secure the login but still, the user has to memorize the passwords. To address this web authentication, do public-key based credentials where a password is not involved in authentication.  Current device biometric or windows hello authentication is used in place to login form with username and password. Windows Hello, android native biometric, and IOS biometric methods are used to secure the login process. This provides frictionless secure login to end-users.

 

Passwordless Web authentication with NetIQ Access Manager

 

Modern devices include desktop and laptops come with TPM support where public-key credentials are created and stored. Old devices may not have a TPM module then those devices won’t support the web authentication discussed here. Web Authentication requires registering a user and logging in an existing user.  While registering user navigator.credentials.create() browser API is called to create public key credentials at client-side (browser) for relying party (Access Manager). This public-key credential contains a public key, credentials ID, and some other cryptographically relevant data. The server will verify these credentials are generated by a legit source. An authenticator at the client-side adds an attestation statement with information attestation format, AAGUID (FIDO service can be called based on this ID to verify the source).  

When using a TPM untrusted certificate involved in credentials generation, to secure the process for the demo user has to authentication with secure name password contract in enterprise Kerberos authentication is easy to the rollout registration process.

For demo purpose web authentication demo project code compiled to war and deployed along with nidp web app at IDP. Demo project resource, custom JSP pages used is available below under resources section. Created custom authentication class to verify username with user store and the result of web authentication with another web app.

 

Passwordless Web authentication Windows laptop demo

 

passwordless-login.gif

 


IOS iPhone demo

 

passwordless-login-iphone.gif

 


Resources

 

https://github.com/Yubico/java-webauthn-server.git

https://www.w3.org/TR/webauthn/

https://developers.google.com/web/updates/2018/05/webauthn

Labels:

Other
Comment List
Anonymous
Related Discussions
Recommended