Forget your passwords with the Web Authentication API

Passwords are hard. Data breaches frequently expose poor security practices, proving that, as an industry, we’re not very good at this. As developers have become more aware of these challenges, we’ve tried to offload password management to “the big guns”, making our lives easier, but what about our users? From confusing or ineffective password complexity restrictions to password fields you can’t paste into, it’s no wonder so many people find one password and stick with it.

The Web Authentication API (WebAuthn) allows you to build passwordless authentication or two factor authentication into your web applications seamlessly in the browser. Using an asymmetric key pair where the public key is sent to a server, and the private key stored securely on your device, your secrets are never sent over the internet, greatly reducing the risk of phishing attempts.

This blog series will provide an introduction to WebAuthn, outlining the benefits, trade-offs, and future of this new authentication protocol. Through this series you will see how to build an experience that puts control over their credentials (literally) back into the hands of your users.

A large portion of this series was covered in my presentation at DDD Perth (35 minutes). You can also check out the slides and resources.

Posts in the series

• Forget your passwords with the Web Authentication API
• The problem with passwords
• The Web Authentication API
• Making auth better

Written by Ben Lowry who lives and works in Perth building useful things. You should follow him on Twitter