WebAuthN with OpenID Connect — Usable, Strong, Passwordless Authentication

Chris McCaw
Jan 12 · 3 min read

WebAuthN (FIDO2) authentication promises strong and passwordless authentication experience that is native to the browser and is simple for end-users to use. However, from a developer perspective, WebAuthN is a bit difficult and complex to implement since it requires a registration ceremony as well as an authentication ceremony. Moreover, if implemented incorrectly, it can make your app vulnerable to attacks.

An OpenID Connect (OIDC) Provider abstracts the authentication mechanism and allows developers to easily and safely trust an external party, the OIDC Provider, to authenticate the user’s identity and report claims about the user. Clients can use the OIDC Provider to request and receive information about identities and the currently authenticated sessions.

NoPasswordLogin combines WebAuthN and OIDC into a single authentication flow that delivers the best of what both standards can offer:

  • End-users experience simple to use passwordless authentication.
  • Developers use a well known and easy to integrate OIDC flow.
  • Security practitioners trust the implementation that uses standards to encourage broader adoption of better authentication methods.
NoPasswordLogin supports WebAuthn and Open ID Connect

FIDO2 / WebAuthN

FIDO 2.0 (FIDO2) is an open authentication standard that enables users to leverage common devices to authenticate to online services in both mobile and desktop environments. FIDO2 is a phishing proof, passwordless authentication protocol with the goal to create a strong authentication standard for the web.

FIDO2 is comprised of the W3C’s Web Authentication specification (WebAuthN) and FIDO’s corresponding Client-to-Authenticator Protocol (CTAP).

  • WebAuthN defines a standard API for password-free login that can be built into browsers to enable online services to use FIDO Authentication. With WebAuthN you can now incorporate FIDO technology into any modern browser with minimal effort.
  • CTAP enables external devices such as mobile handsets (e.g. TouchID/FaceID ) or FIDO Security Keys (e.g. Yubikey) to work with WebAuthN and serve as authenticators to desktop applications and web services, completely eliminating the password dependency.

WebAuthN (as of January 2020) works with the following browser/platforms:

  • Edge on Windows 10
  • Chrome on Windows 10
  • Firefox on Windows 10
  • Chrome on Android
  • Chrome on macOS
  • Safari on iOS
  • Safari on macOS

Open ID Connect

Open ID is a standard for implementing authentication for web and mobile applications and Single Sign-On. It is based on OAuth2 but does so in a way that is API-friendly, and usable by applications.

Open ID Connect is extremely important for developers for standing up web applications and authorizing/authenticating users. You can get information about the users, receive what the users have access to and determine how the user is authenticated. It gives you everything you need to perform delegated authentication.

NoPasswordLogin and OpenID Connect

The NoPasswordLogin OpenID Provider verifies the user’s identity and authenticates the user through WebAuthN. Developers can very easily implement a sign in flow or integrate into their multi-factor authentication flow to authenticate users.

You can use any OpenID Connect Client to communicate to the NoPasswordLogin Identity Provider. The configuration endpoint publishes core details about the OpenID Connect service. These details can be found by accessing the following URL:

https://api.nopasswordlogin.com/.well-known/openid-configuration

You can see it working and try it out with our Dashboard.

Log into NoPasswordLogin with OIDC NoPasswordLogin

Conclusion

OpenID and WebAuthN together make Authentication / SSO easy to implement. Two powerful technologies to get rid of passwords and make authentication easier for users. Using OpenID Connect authentication schema and FIDO2 allows for passwordless login and migrates the number of comprised credentials.

Register and try out NoPasswordLogin!

Email us at hello@nopasswordlogin.com to speak to us more about integrating Passwordless into your application.


Check out our other article which explains more about how you can use NoPasswordLogin to go passwordless:

https://medium.com/@nopasswordlogin/passwordless-as-a-service-3b8fd43a796e

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade