WebAuthn is a new web authentication standard that enables users to authenticate securely to websites and applications using biometric authentication or security keys. This authentication method is gaining popularity in the cryptocurrency world as it provides enhanced security to cryptocurrency transactions.
Cryptocurrency transactions are highly valuable, and the need for secure authentication is critical. Traditional password-based authentication methods are susceptible to attacks, and cybercriminals can gain unauthorised access to users' cryptocurrency wallets, resulting in a significant loss of funds. To mitigate this risk, cryptocurrency wallets such as Ledger, are increasingly adopting WebAuthn authentication methods.
HOW DOES IT WORK?
WebAuthn uses a public-key cryptography method to authenticate users, and it works by creating a private and public key pair. The private key is stored securely on the user's device, while the public key is shared with the website or application. When a user wants to authenticate to a website, they provide their biometric authentication or insert their security key into their device, which is then used to generate a cryptographic signature. The signature is sent to the website, which then verifies the signature using the user's public key.
WHY IS IT BENEFICIAL?
One of the significant benefits of WebAuthn authentication is that it eliminates the need for users to remember passwords. This eliminates the risk of password-based attacks, which are prevalent in the cryptocurrency world. Passwords are often weak, and users tend to reuse them across multiple websites, making them vulnerable to credential stuffing attacks. WebAuthn, on the other hand, uses unique cryptographic signatures, making it virtually impossible for attackers to replicate.
WebAuthn authentication also provides an additional layer of security for cryptocurrency transactions by enabling users to verify the transaction details before signing off on them. Users can confirm that the transaction amount and destination address are accurate before signing off on the transaction, preventing fraudulent transactions.
Another advantage of WebAuthn authentication is that it provides protection against phishing attacks. Phishing attacks are prevalent in the cryptocurrency world, and they often involve attackers tricking users into providing their login credentials. With WebAuthn, users do not need to enter their credentials, making it impossible for attackers to steal them.
HOW DO YOU USE WEBAUTHN?
As with any other login situation:
- You will be prompted for a username to identify yourself.
- The browser would then prompt you to authenticate yourself using their hardware authenticator.
- You would be logged into the system if your authentication was successful.
While that’s happening for you in the front-end, here is what’s going on in the back:
- You enter your username after clicking the login button on a website in their browser (user agent).
- The authenticating server (relying party) sends a challenge (a random piece of data transmitted as an array) to the your browser, along with your saved private key ID.
- This challenge and private key ID are sent to the authenticator device by the browser.
- The authenticator gadget then prompts you to confirm your identity. This might vary depending on the device (for example, Touch ID on a Macbook or touching a YubiKey).
- When you authorise the authenticator device, it will retrieve the produced key pair saved on it with the specified private key ID. It will then sign the challenge with the private key.
- The authenticator device will then return the signed challenge as well as process data to the authenticating server.
- The authenticating server will next check the private key's authenticity by utilising its previously saved public key to ensure the challenge was signed by the private key.
- You will then be logged in.
This provides a more secure and user-friendly authentication method compared to traditional password-based authentication methods.
As the adoption of cryptocurrencies continues to grow, the need for secure authentication methods such as WebAuthn will become more critical to ensure the safety of users' funds.