This is the 9th day of my participation in Gwen Challenge


Here’s a way to log on to Microsoft’s website:

When you choose to log in this way, Windows will open a new security window and display the following image:

This relies on the Web Authentication API technology. Let’s learn about it.

Web Authentication API

Introduction to the

Web Authentication API (also known as WebAuthn) inherits from Credential Management API and uses public key cryptography to make Authentication stronger. It can achieve password-free Authentication and secure two-factor Authentication without SMS text. Solved phishing, data corruption, SMS text attacks, other two-factor authentication and other major security issues.

The characteristics of

  1. Use asymmetric encryption instead of passwords or SMS to register, log in, and two-factor authentication on websites.
  2. Significantly improved ease of use (since users do not have to manage many increasingly complex passwords).

API

The Web Authentication API has two basic methods corresponding to registration and login:

The navigator. Credentials. The create () – registered the navigator. Credentials. The get () to log in

The above two methods need to be used in a security context.

Security context: Such as HTTPS connection or localhost

The implementation process

The Web authentication API in Microsoft Edge enables Web applications to authenticate users using Windows Hello and external FIDO2 devices, avoiding all the problems and risks of password management, including password guesswork, phishing, and key logging attacks. The current Microsoft Edge implementation is recommended as a candidate for a Web-based authentication specification.

With Web authentication, the server sends a plain text challenge to the browser. Once Microsoft Edge is able to authenticate the user with Windows Hello or an external FIDO2 device, the system signs the challenge using the private key previously prepared for the user and sends the signature back to the server. If the server can use it to validate the signature for the public key used by the user and verify that the challenge is correct, the user can be securely authenticated. In such asymmetric encryption, the public key itself is meaningless and the private key is never shared. In addition, private keys can never be moved from security components or modern systems with TPMs-enabled hardware.

For details, see MDN – Web_Authentication_API

Browser compatibility

Modern browsers have good support. Consider using it in your project.

The sample

To be continued