{"id":14755,"date":"2019-01-30T14:30:36","date_gmt":"2019-01-30T13:30:36","guid":{"rendered":"https:\/\/www.inovex.de\/blog\/?p=14755"},"modified":"2024-05-27T07:50:39","modified_gmt":"2024-05-27T05:50:39","slug":"webauthn-authentication","status":"publish","type":"post","link":"https:\/\/www.inovex.de\/de\/blog\/webauthn-authentication\/","title":{"rendered":"WebAuthn: Strong Authentication for the Web [State of the Web]"},"content":{"rendered":"<div>\n<blockquote><p>Use complex passwords they said! It will be secure they said!<\/p><\/blockquote>\n<p>This meme may be part of a humoristic view on the harsh reality. According to <a href=\"https:\/\/static.googleusercontent.com\/media\/research.google.com\/en\/\/pubs\/archive\/46437.pdf\" target=\"_blank\" rel=\"noopener\">Google&#8217;s study<\/a>\u00a01.9 billion passwords were exposed during a period of one year caused by data breaches. In the same time 12.4 million users fell victim to phishing attacks. Also the\u00a0<a href=\"https:\/\/hpi.de\/news\/jahrgaenge\/2016\/hpi-wissenschaftler-ermitteln-die-zehn-meistgenutzten-deutschsprachigen-passwoerter.html\">Hasso-Plattner-Institut\u00a0<\/a>\u00a0investigated that 20% of users in Germany re-use their passwords for different accounts. They also found out that &#8218;hallo&#8216; and &#8218;passwort&#8216; are the most popular German passwords. This reality shows that in practice passwords aren&#8217;t secure at all.<\/p>\n<p>One thing that provides a remedy are One-Time Passwords (OTPs) which are sent for Two-Factor Authentication (2FA) via SMS or generated by an authenticator app. The problem with that approach is, in addition to poor usability, users still may be tricked to submit their credentials to the wrong website.<\/p>\n<p>So a new authentication mechanism is needed that is more robust against exploits than passwords and simpler to use than OTPs. This challenge is the business of Fast Identity Online (FIDO), an alliance of more than 250 companies like PayPal, Microsoft and Google. In 2014, they announced the Universal Second Factor (U2F) specification which provides 2FA based on security keys, resistant to phishing, man-in-the-middle attacks (MitM) or stolen passwords.<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\"><p class=\"ez-toc-title\" style=\"cursor:inherit\"><\/p>\n<\/div><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.inovex.de\/de\/blog\/webauthn-authentication\/#Universal-Second-Factor-Protocol-U2F\" >Universal Second Factor Protocol: U2F<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.inovex.de\/de\/blog\/webauthn-authentication\/#WebAuthn-Web-Authentication-API\" >WebAuthn: Web Authentication API<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.inovex.de\/de\/blog\/webauthn-authentication\/#Back-to-the-Future\" >Back to the Future<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.inovex.de\/de\/blog\/webauthn-authentication\/#Further-Resources\" >Further Resources<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.inovex.de\/de\/blog\/webauthn-authentication\/#All-Articles-in-this-Series\" >All Articles in this Series<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"Universal-Second-Factor-Protocol-U2F\"><\/span>Universal Second Factor Protocol: U2F<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Simply put, besides a password the user needs an additional U2F device that is used for 2FA. Upon registration the device creates a key pair, with the public key stored by the service.<\/p>\n<p>As the protocol is built upon challenge-response authentication, first a challenge token is sent to the client. To login, the challenge needs to be signed by the user&#8217;s private key and sent back to the server. The corresponding public key is used to identify the user without sharing any secret over the wire. Additionally, to protect against phishing and MitM attacks, the authentication flow is linked to the origin of the service and the channel ID, both of which are also signed by the U2F device and verified by the service. An overview of the sign-in process is illustrated in the following graphic.<\/p>\n<\/div>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-14756\" src=\"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/01\/WebAuthnFlow-300x60.png\" alt=\"Schematic of U2F Authentication, the basis for WebAuthn\" width=\"550\" height=\"110\" srcset=\"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/01\/WebAuthnFlow-300x60.png 300w, https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/01\/WebAuthnFlow-400x80.png 400w, https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/01\/WebAuthnFlow-360x72.png 360w, https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/01\/WebAuthnFlow.png 676w\" sizes=\"auto, (max-width: 550px) 100vw, 550px\" \/><\/p>\n<div>\n<div>Moreover, the standard also specifies a JavaScript API to make use of strong 2FA in the web. Unfortunately nearly no Browser-vendor ever implemented the API, so up to now the features of U2F can&#8217;t really be used for web applications. However, the FIDO alliance kept working on the standard and developed FIDO2, a kind of version 2.0 of the U2F Protocol. Among others, it comprises the W3C\u2019s Web Authentication specification (WebAuthn), a new Web API designed to use strong key cryptography in the web. The API is shipped in Chrome, Firefox and Edge while Safari is currently working on future integration.<\/div>\n<h2><span class=\"ez-toc-section\" id=\"WebAuthn-Web-Authentication-API\"><\/span>WebAuthn: Web Authentication API<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The Web Authentication API is based on the <a href=\"https:\/\/w3c.github.io\/webappsec-credential-management\/\">Credential Management API<\/a> and adds a new `PublicKeyCredential` type to the credentials interface. It provides a standardized communication with external devices, to retrieve key pair information.<\/p>\n<p>To this end, the Credential Management APIs `navigator.credentials.create()` and `navigator.credentials.get()` methods are extended by a `publicKey` parameter to register and authenticate users.<\/p>\n<p>For registration the server sends a challenge token, information about the relying party as well as user information that need to be passed to the external device to initially create the key pair.<\/p>\n<div>\n<pre class=\"lang:js decode:true\" title=\"User Registration\">navigator.credentials.create({\r\n\r\n publicKey:{\r\n\r\n  challenge: Uint8Array(32) [141, 62, 161, 47, 3, 103,\u2026],\r\n\r\n  rp: { id: \"example.com\", name: \"Example Corporation\"},\r\n\r\n  user: {\r\n\r\n   id: new Uint8Array(16),\r\n\r\n   name: \"john.doe@example.com\",\r\n\r\n   displayName: \"John Doe\"\r\n\r\n  },\r\n\r\n  pubKeyCredParams: [{\r\n\r\n   type: \"public-key\",\r\n\r\n   alg: -7\r\n\r\n  }],\r\n\r\n }\r\n\r\n}).then( PublicKeyCredential =&gt; {\r\n\r\n \/\/ PublicKeyCredential Object send to server\r\n\r\n})<\/pre>\n<\/div>\n<p>After the keypair has been created, the promise returns a `PublicKeyCredential` object which contains the public key and additional metadata like the origin and the server challenge, signed by a hardware-backed private key. As soon as the `PublicKeyCredential` object has been sent to the server, it is stored with the users account after verifying its metadata and validating its signature, using the device&#8217;s certificate chain of trust.<\/p>\n<p>Now that the user has been registered to the service, the `navigator.credentials.get()` method may be used to sign-in. But first, the server again sends a challenge to the client that needs to be passed to the Credential Management API. Now the previously created private key is used to sign the `PublicKeyCredential` information, which is send to the server.<\/p>\n<div>\n<pre class=\"lang:js decode:true\">navigator.credentials.get({\r\n\r\n publicKey: options\r\n\r\n}).then(PublicKeyCredential =&gt; {\r\n\r\n \/\/ PublicKeyCredential send to server\r\n\r\n})<\/pre>\n<\/div>\n<p>On server-side the corresponding public key is used to verify the identity of the user to create a session.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Back-to-the-Future\"><\/span>Back to the Future<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>So what does public key authentication mean for passwords, and the issues they introduce. As public keys may be used as 2FA, U2F will be a strong tool to defend against phishing and MitM attacks. The integrity of the users&#8216; data will be safer, as the signed metadata contains information about the relying party and the communication channel.<\/p>\n<p>Also data breaches won&#8217;t compromise a user&#8217;s account as the public key part is useless to attackers, even when the password is simple or has been stolen.<\/p>\n<p>Good news? Maybe you are wondering about FIDOs goal, to improve the simplicity of authentication. And you are right, the usability hasn&#8217;t changed much. To authenticate, users still need to carry an external device. Here, in addition to the WebAuthN specification the FIDO2 project defined a new Client-to-Authenticator Protocol (CTAP 2) that allows to use common devices to simply authenticate to web services. But the most stunning feature is that <em>authenticators may be used as a first factor<\/em>, which has the potential to replace passwords in the future.<\/p>\n<p>Currently there are some services that already implemented the new Web Authentication API, like <a href=\"https:\/\/help.github.com\/articles\/configuring-two-factor-authentication\/#configuring-two-factor-authentication-using-fido-u2f\">github<\/a>\u00a0or <a href=\"https:\/\/www.facebook.com\/help\/401566786855239?helpref=related\">Facebook<\/a>.<\/p>\n<p>If you want to take a small glimpse into the future you may want to test dropbox&#8217;s U2F option with chrome 70, to use your device&#8217;s fingerprint sensor to sign-in. In the future maybe more and more services will adopt U2F as it provides an additional layer of security. It remains to be seen if passwords will be replaced, as still some security and usability factors need to be discussed first. Nevertheless, important first steps have been taken.<\/p>\n<\/div>\n<div>\n<h2 data-fontsize=\"32\" data-lineheight=\"48\"><span class=\"ez-toc-section\" id=\"Further-Resources\"><\/span>Further Resources<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<ul>\n<li><a title=\"https:\/\/www.w3.org\/TR\/webauthn\/\" href=\"https:\/\/www.w3.org\/TR\/webauthn\/\">https:\/\/www.w3.org\/TR\/webauthn\/<\/a><\/li>\n<li><a title=\"https:\/\/fidoalliance.org\/fido2\/\" href=\"https:\/\/fidoalliance.org\/fido2\/\">https:\/\/fidoalliance.org\/fido2\/<\/a><\/li>\n<li><a title=\"https:\/\/fidoalliance.org\/approach-vision\/\" href=\" https:\/\/fidoalliance.org\/overview\/\"> https:\/\/fidoalliance.org\/overview\/<\/a><\/li>\n<\/ul>\n<p>Other Articles in this Series<\/p>\n<h2><span class=\"ez-toc-section\" id=\"All-Articles-in-this-Series\"><\/span>All Articles in this Series<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<ul>\n<li><a href=\"https:\/\/www.inovex.de\/blog\/screenshot-testing-mit-backstopjs-sotw\/\">Screenshot Testing mit BackstopJS<\/a><\/li>\n<li><a href=\"https:\/\/www.inovex.de\/blog\/css-scroll-snap-state-of-the-web\/\">CSS Scroll Snap<\/a><\/li>\n<li><a href=\"https:\/\/www.inovex.de\/blog\/native-browser-dialogs-libraries\/\">Native Browser Dialogs<\/a><\/li>\n<\/ul>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Use complex passwords they said! It will be secure they said! This meme may be part of a humoristic view on the harsh reality. According to Google&#8217;s study\u00a01.9 billion passwords were exposed during a period of one year caused by data breaches. In the same time 12.4 million users fell victim to phishing attacks. Also [&hellip;]<\/p>\n","protected":false},"author":48,"featured_media":15297,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"ep_exclude_from_search":false,"footnotes":""},"tags":[70],"service":[425,444,879],"coauthors":[{"id":48,"display_name":"Sven Lindauer","user_nicename":"slindauer"}],"class_list":["post-14755","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","tag-web","service-backend","service-frontend","service-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>WebAuthn: Strong Authentication for the Web [State of the Web]<\/title>\n<meta name=\"description\" content=\"In 2014 the Fast Identity Online (FIDO) alliance announced the Universal Second Factor (U2F) specification which provides 2FA based on security keys, resistant to phishing, man-in-the-middle attacks (MitM) or stolen passwords. Let&#039;s have a look at its current state and browser support for WebAuthn!\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.inovex.de\/de\/blog\/webauthn-authentication\/\" \/>\n<meta property=\"og:locale\" content=\"de_DE\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"WebAuthn: Strong Authentication for the Web [State of the Web]\" \/>\n<meta property=\"og:description\" content=\"In 2014 the Fast Identity Online (FIDO) alliance announced the Universal Second Factor (U2F) specification which provides 2FA based on security keys, resistant to phishing, man-in-the-middle attacks (MitM) or stolen passwords. Let&#039;s have a look at its current state and browser support for WebAuthn!\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.inovex.de\/de\/blog\/webauthn-authentication\/\" \/>\n<meta property=\"og:site_name\" content=\"inovex GmbH\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/inovexde\" \/>\n<meta property=\"article:published_time\" content=\"2019-01-30T13:30:36+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-05-27T05:50:39+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/01\/webauthn@0.75x.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1440\" \/>\n\t<meta property=\"og:image:height\" content=\"810\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Sven Lindauer\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/01\/webauthn@0.75x-1024x576.png\" \/>\n<meta name=\"twitter:creator\" content=\"@inovexgmbh\" \/>\n<meta name=\"twitter:site\" content=\"@inovexgmbh\" \/>\n<meta name=\"twitter:label1\" content=\"Verfasst von\" \/>\n\t<meta name=\"twitter:data1\" content=\"Sven Lindauer\" \/>\n\t<meta name=\"twitter:label2\" content=\"Gesch\u00e4tzte Lesezeit\" \/>\n\t<meta name=\"twitter:data2\" content=\"5\u00a0Minuten\" \/>\n\t<meta name=\"twitter:label3\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data3\" content=\"Sven Lindauer\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/webauthn-authentication\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/webauthn-authentication\\\/\"},\"author\":{\"name\":\"Sven Lindauer\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/person\\\/0cffac94864c3b84dbde80b1d01c3891\"},\"headline\":\"WebAuthn: Strong Authentication for the Web [State of the Web]\",\"datePublished\":\"2019-01-30T13:30:36+00:00\",\"dateModified\":\"2024-05-27T05:50:39+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/webauthn-authentication\\\/\"},\"wordCount\":1030,\"commentCount\":1,\"publisher\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/webauthn-authentication\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2019\\\/01\\\/webauthn@0.75x.png\",\"keywords\":[\"Web\"],\"articleSection\":[\"Applications\",\"English Content\",\"General\"],\"inLanguage\":\"de\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/webauthn-authentication\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/webauthn-authentication\\\/\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/webauthn-authentication\\\/\",\"name\":\"WebAuthn: Strong Authentication for the Web [State of the Web]\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/webauthn-authentication\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/webauthn-authentication\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2019\\\/01\\\/webauthn@0.75x.png\",\"datePublished\":\"2019-01-30T13:30:36+00:00\",\"dateModified\":\"2024-05-27T05:50:39+00:00\",\"description\":\"In 2014 the Fast Identity Online (FIDO) alliance announced the Universal Second Factor (U2F) specification which provides 2FA based on security keys, resistant to phishing, man-in-the-middle attacks (MitM) or stolen passwords. Let's have a look at its current state and browser support for WebAuthn!\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/webauthn-authentication\\\/#breadcrumb\"},\"inLanguage\":\"de\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/webauthn-authentication\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/webauthn-authentication\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2019\\\/01\\\/webauthn@0.75x.png\",\"contentUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2019\\\/01\\\/webauthn@0.75x.png\",\"width\":1440,\"height\":810,\"caption\":\"The WebAtuhn title displayed on a ribbon in front of a globe\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/webauthn-authentication\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"WebAuthn: Strong Authentication for the Web [State of the Web]\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#website\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/\",\"name\":\"inovex GmbH\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"de\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#organization\",\"name\":\"inovex GmbH\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/inovex-logo-16-9-1.png\",\"contentUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/inovex-logo-16-9-1.png\",\"width\":1921,\"height\":1081,\"caption\":\"inovex GmbH\"},\"image\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/inovexde\",\"https:\\\/\\\/x.com\\\/inovexgmbh\",\"https:\\\/\\\/www.instagram.com\\\/inovexlife\\\/\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/inovex\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UC7r66GT14hROB_RQsQBAQUQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/person\\\/0cffac94864c3b84dbde80b1d01c3891\",\"name\":\"Sven Lindauer\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/Profil_bild-96x96.jpg3e2b2ae70e94e7e1337b41ec54cedb1a\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/Profil_bild-96x96.jpg\",\"contentUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/Profil_bild-96x96.jpg\",\"caption\":\"Sven Lindauer\"},\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/author\\\/slindauer\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"WebAuthn: Strong Authentication for the Web [State of the Web]","description":"In 2014 the Fast Identity Online (FIDO) alliance announced the Universal Second Factor (U2F) specification which provides 2FA based on security keys, resistant to phishing, man-in-the-middle attacks (MitM) or stolen passwords. Let's have a look at its current state and browser support for WebAuthn!","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.inovex.de\/de\/blog\/webauthn-authentication\/","og_locale":"de_DE","og_type":"article","og_title":"WebAuthn: Strong Authentication for the Web [State of the Web]","og_description":"In 2014 the Fast Identity Online (FIDO) alliance announced the Universal Second Factor (U2F) specification which provides 2FA based on security keys, resistant to phishing, man-in-the-middle attacks (MitM) or stolen passwords. Let's have a look at its current state and browser support for WebAuthn!","og_url":"https:\/\/www.inovex.de\/de\/blog\/webauthn-authentication\/","og_site_name":"inovex GmbH","article_publisher":"https:\/\/www.facebook.com\/inovexde","article_published_time":"2019-01-30T13:30:36+00:00","article_modified_time":"2024-05-27T05:50:39+00:00","og_image":[{"width":1440,"height":810,"url":"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/01\/webauthn@0.75x.png","type":"image\/png"}],"author":"Sven Lindauer","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/01\/webauthn@0.75x-1024x576.png","twitter_creator":"@inovexgmbh","twitter_site":"@inovexgmbh","twitter_misc":{"Verfasst von":"Sven Lindauer","Gesch\u00e4tzte Lesezeit":"5\u00a0Minuten","Written by":"Sven Lindauer"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.inovex.de\/de\/blog\/webauthn-authentication\/#article","isPartOf":{"@id":"https:\/\/www.inovex.de\/de\/blog\/webauthn-authentication\/"},"author":{"name":"Sven Lindauer","@id":"https:\/\/www.inovex.de\/de\/#\/schema\/person\/0cffac94864c3b84dbde80b1d01c3891"},"headline":"WebAuthn: Strong Authentication for the Web [State of the Web]","datePublished":"2019-01-30T13:30:36+00:00","dateModified":"2024-05-27T05:50:39+00:00","mainEntityOfPage":{"@id":"https:\/\/www.inovex.de\/de\/blog\/webauthn-authentication\/"},"wordCount":1030,"commentCount":1,"publisher":{"@id":"https:\/\/www.inovex.de\/de\/#organization"},"image":{"@id":"https:\/\/www.inovex.de\/de\/blog\/webauthn-authentication\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/01\/webauthn@0.75x.png","keywords":["Web"],"articleSection":["Applications","English Content","General"],"inLanguage":"de","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.inovex.de\/de\/blog\/webauthn-authentication\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.inovex.de\/de\/blog\/webauthn-authentication\/","url":"https:\/\/www.inovex.de\/de\/blog\/webauthn-authentication\/","name":"WebAuthn: Strong Authentication for the Web [State of the Web]","isPartOf":{"@id":"https:\/\/www.inovex.de\/de\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.inovex.de\/de\/blog\/webauthn-authentication\/#primaryimage"},"image":{"@id":"https:\/\/www.inovex.de\/de\/blog\/webauthn-authentication\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/01\/webauthn@0.75x.png","datePublished":"2019-01-30T13:30:36+00:00","dateModified":"2024-05-27T05:50:39+00:00","description":"In 2014 the Fast Identity Online (FIDO) alliance announced the Universal Second Factor (U2F) specification which provides 2FA based on security keys, resistant to phishing, man-in-the-middle attacks (MitM) or stolen passwords. Let's have a look at its current state and browser support for WebAuthn!","breadcrumb":{"@id":"https:\/\/www.inovex.de\/de\/blog\/webauthn-authentication\/#breadcrumb"},"inLanguage":"de","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.inovex.de\/de\/blog\/webauthn-authentication\/"]}]},{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/www.inovex.de\/de\/blog\/webauthn-authentication\/#primaryimage","url":"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/01\/webauthn@0.75x.png","contentUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/01\/webauthn@0.75x.png","width":1440,"height":810,"caption":"The WebAtuhn title displayed on a ribbon in front of a globe"},{"@type":"BreadcrumbList","@id":"https:\/\/www.inovex.de\/de\/blog\/webauthn-authentication\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.inovex.de\/de\/"},{"@type":"ListItem","position":2,"name":"WebAuthn: Strong Authentication for the Web [State of the Web]"}]},{"@type":"WebSite","@id":"https:\/\/www.inovex.de\/de\/#website","url":"https:\/\/www.inovex.de\/de\/","name":"inovex GmbH","description":"","publisher":{"@id":"https:\/\/www.inovex.de\/de\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.inovex.de\/de\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"de"},{"@type":"Organization","@id":"https:\/\/www.inovex.de\/de\/#organization","name":"inovex GmbH","url":"https:\/\/www.inovex.de\/de\/","logo":{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/www.inovex.de\/de\/#\/schema\/logo\/image\/","url":"https:\/\/www.inovex.de\/wp-content\/uploads\/2021\/03\/inovex-logo-16-9-1.png","contentUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/2021\/03\/inovex-logo-16-9-1.png","width":1921,"height":1081,"caption":"inovex GmbH"},"image":{"@id":"https:\/\/www.inovex.de\/de\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/inovexde","https:\/\/x.com\/inovexgmbh","https:\/\/www.instagram.com\/inovexlife\/","https:\/\/www.linkedin.com\/company\/inovex","https:\/\/www.youtube.com\/channel\/UC7r66GT14hROB_RQsQBAQUQ"]},{"@type":"Person","@id":"https:\/\/www.inovex.de\/de\/#\/schema\/person\/0cffac94864c3b84dbde80b1d01c3891","name":"Sven Lindauer","image":{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/www.inovex.de\/wp-content\/uploads\/Profil_bild-96x96.jpg3e2b2ae70e94e7e1337b41ec54cedb1a","url":"https:\/\/www.inovex.de\/wp-content\/uploads\/Profil_bild-96x96.jpg","contentUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/Profil_bild-96x96.jpg","caption":"Sven Lindauer"},"url":"https:\/\/www.inovex.de\/de\/blog\/author\/slindauer\/"}]}},"_links":{"self":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts\/14755","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/users\/48"}],"replies":[{"embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/comments?post=14755"}],"version-history":[{"count":3,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts\/14755\/revisions"}],"predecessor-version":[{"id":54008,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts\/14755\/revisions\/54008"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/media\/15297"}],"wp:attachment":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/media?parent=14755"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/tags?post=14755"},{"taxonomy":"service","embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/service?post=14755"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/coauthors?post=14755"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}