No more passwords: Web Authentication in OutSystems
Users often use the same user name/email and password combination across multiple web sites.
This is often a problem since if their credentials get compromised in a particular web site, it means they are compromised in all of them.
Some use password managers and the suggested strong passwords but what if there was a way not to use passwords at all?
It turns out there is.
Web Authentication
The Web Authentication API (also referred to as WebAuthn) uses asymmetric (public-key) cryptography instead of passwords or SMS texts for registering, authenticating, and second-factor authentication with websites. This has some benefits:
Protection against phishing: An attacker who creates a fake login website can’t login as the user because the signature changes with the origin of the website.
Reduced impact of data breaches: Developers don’t need to hash the public key, and if an attacker gets access to the public key used to verify the authentication, it can’t authenticate because it needs the private key.
Invulnerable to password attacks: Some users might reuse passwords, and an attacker may obtain the user’s password for another website (e.g. via a data breach). Also, text passwords are much easier to brute-force than a digital signature.
Check ou the full documentation.
How does it work?
Registering a User:
It starts with a public key creation triggered by the browser. This public key is created using some hardware resource, it can be the TPM (trusted platform module) of the computer or some sort of external hardware like a Yubico key.
This public key is sent to the server, validated and then associated with the user profile.
Signing in:
When the user signs in the browser sends authentication data signed using its private key which only you or your machine has. The authenticator can then validate this signature using your public key.
This way it doesn’t matter if your public keys get stolen, because only your private key can sign the messages.
OutSystems Implementation
Implementing this in OutSystems is a two step process.
First we need the client side Web Authn methods.
Second step is to build an authenticator on the server side. Libraries that implement FIDO2 methods are scarce and the most popular one fido2.net, proved to be trickier than anticipated.
So for now we’ll use a REST API called passwordless.dev, which provides the server side authenticator role.
Testing Web Authn
In order to test this you’ll need a computer with TPM (most modern computers have it) or some form of hardware authentication (Yubico, finger print scanner, etc.). For Windows you can use Windows Hello.
The registration step:
Then the browser kicks in, asking for your input (in this case Windows Hello)
Finally this is verified by the authenticator (the passwordless.dev api) and stored:
Login is a similar process:
The browser kicks in and ask to create a signature.
And finally we are validated:
I believe we are going to see this Web Authn being applied more and more. In fact Microsoft recently announced it would start to rollout support for password less authentication on their services and others will follow.
We may consider that there is no hardware support yet for this, but the fact is most of us already have all it is needed. Also we can make the user name/password be the fallback exception rather than the rule.
As usual you’ll find this component and demo on the forge.
Now, go build those apps.