Next-level Authentication with Webauthn

In 2021, as part of our never-ending quest to improve security at Quiq, we started exploring options for adding additional layers of authentication for some of our most critical services. We already utilize federated authentication (single sign-on) for our internal and customer facing services, through which we require multi-factor authentication, but the question arose, could we do more?

This search led us to explore Webauthn. What is it exactly? Webauthn is a standard that allows websites to easily support passwordless, public key-based authentication. What does this mean in practice? It means that you can use a wide range of modern mechanisms such as Yubikey, Apple Touch ID, Windows Hello, and more for logging into your critical services.

Adding Webauthn into our defense-in-depth strategy is big win! There’s just one problem. While all major web browsers have supported Webauthn for some time, adoption on the server side has been very slow. We rely very heavily on self-hosted, open source tools and the way we apply federated authentication is using OAuth2 Proxy. This allows us to add a little configuration to NGinx and voilà! Any requests to the service require users to log in to our single sign-on provider.

Unfortunately there wasn’t a proxy that allowed us to easily do the same thing with Webauthn. There were a few projects that aimed to do this but they all had drawbacks: too immature, not easy to automate with our DevOps tools, or requiring dependencies that we didn’t want to have to manage. So to solve this problem, we created our own.

As of today we are open sourcing Quiq’s Webauthn proxy: https://github.com/Quiq/webauthn_proxy

The proxy is compact and easy to deploy. Written in Golang, it is simple to configure, in fact there are only two parameters you are required to change in its configuration file to get started. It stores configuration and user credentials in a simple YAML file so it’s a breeze to manage with tools like Ansible or Puppet.

The README file in the github repo illustrates how to use the proxy with NGinx. It also demonstrates a more advanced configuration with OpenResty that chains the OAuth2 proxy and Webauthn proxy, requiring both methods to succeed in order to log in. We are certain that it will work with other reverse proxies and webservers but thus far it has only been tested with NGinx and OpenResty.

There are a couple of caveats to be aware of. First of all, we’re strictly using Webauthn proxy internally; as of today we don’t support Webauthn for our customers to log into Quiq’s products. Many of our customers use their own single sign-on solutions with Quiq anyway, so it will be up to them to support it. Secondly, passwordless authentication should always be used as part of a multi-factor approach, not by itself; otherwise a thief who steals your authentication device could potentially log in as you.

We really hope that this project will be used by as many teams as possible to help secure their own infrastructure. We also look forward to contributions so if you find a way to make it more useful for you, please open an issue or pull request. Cheers!