Announcing Expanded WebAuthn Support for MFA
In November 2022, we announced the general availability of Duo Passwordless. With this release, many high security and low friction authentication methods were made available. These methods have transformed the security of organizations who have been able to take advantage of Duo Passwordless both in their ease of use and phishing resistance.
Duo understands that organizations are at varying levels of modernization and may still depend on the use of MFA for some or all their applications. Whether this is due to specific infrastructural, organizational, or compliance reasons, Duo is closing this gap by adding the same easy-to-use and low friction authentication methods to MFA for browser-based authentication based on the Universal Prompt. These methods include:
Windows Hello
macOS TouchID
iOS (TouchID/FaceID)
Android (Fingerprint)
By unlocking capabilities already available on most devices (based on actions users are already familiar and comfortable with), you now have more options than ever for your users to securely authenticate into protected applications.
How do users enroll?
We’ve renamed the authentication methods in existing policies. “TouchID” has been renamed to “Platform Authenticator (WebAuthn)”. This renamed category includes all the above methods. All you need to do from here is make sure that “Platform Authenticator (WebAuthn)” is enabled in any applied policies that specify authentication methods.
From there, users can enroll using the Universal Prompt’s Self-Service Portal or during initial enrollment. When Duo detects a capable device and browser, the option will be available during enrollment.
What makes these methods so secure?
In 2012 a group of 250+ security vendors formed the FIDO (Fast Identity Online) Alliance to combat authentication challenges "with a focused mission: authentication standards to help reduce the world’s over-reliance on passwords”, and Web Authentication API, or WebAuthn for short, was born.
Public key cryptography
The concept behind WebAuthn is not new. It’s based on Public Key Cryptography. It is behind the widescale growth of ecommerce on the internet. It is what allows you to connect to your bank online over secure hypertext transport protocol (https) and be confident your financial information will be encrypted.
You may have seen a popular exchange between Alice and Bob to explain the concept of Public Key Cryptography. The essence of the explanation is that thanks to the magic of cryptography you can send a “secret” encrypted message using a public key and only the owner of that public key can decrypt it with their private key. Then they in turn can, digitally sign that message, and use that secret to setup an encrypted session to send it back and then both parties can communicate bidirectionally securely.
What is WebAuthn?
WebAuthn is a different protocol with a different purpose but uses that Public Key Cryptography concept to setup and share encrypted messages between two points over the internet. WebAuthn allows servers to register and authenticate users using Public Key Cryptography. It allows servers to integrate with strong biometric authenticators, built into devices, like Windows Hello or Apple’s Touch ID.
Instead of a password, a private-public keypair (known as a credential) is created for a website. The private key is stored securely on the user’s device; a public key and randomly generated credential ID is sent to the server for storage. The server can then use that public key to prove the user’s identity.
The public key is not secret, because it is can only be used with the corresponding private key. Therefore, the public key does not need to be secured on servers, like shared secrets. The private key may be stored on user devices with encryption technology like Trusted Platform Module (TPM) technology which uses secure tamper resistant hardware.
Three significant strengths of WebAuthn include:
Stored - Private keys, used to perform the cryptographic operations needed for WebAuthn, are stored in a secure enclave on the access endpoint often backed by a Hardware Security Module. In the case of passkeys, the keys are stored in an MFA-protected keychain. More on passkeys below.
Scoped - A keypair is only useful for a specific origin, like browser cookies. A keypair registered at a web site domain cannot be used at alternate site, mitigating the threat of phishing.
Signed - Authenticators can provide a certificate that helps servers verify that the public key did in fact come from an authenticator they trust, and not a fraudulent source.
What are passkeys?
In short, passkeys are also WebAuthn credentials, but they can be synchronized in a secure keychain for use on multiple devices within the same device ecosystem. On top of the security benefits of WebAuthn, keychain-synced Passkeys are an up-and-coming tool to reduce or eliminate difficulties that arise from end-users getting a new device, just as instant restore solves this problem for Duo Mobile users. This release offers a limited amount of passkey support across the Apple ecosystem and on Android devices. As passkeys become more commonplace, we expect to support them wherever possible in the future! You can read more about passkeys on our blog post What Are Passkeys?
Universal Prompt
Last year, Duo announced the General Availability of the new Duo Universal Prompt with various security features, and user experience improvements only available in the new prompt. Next year the legacy Duo Traditional Prompt will no longer be supported.
These expanded authentication methods are only available in Universal Prompt. Security Keys and TouchID for macOS on Chrome will continue to be the only available WebAuthn methods in the Traditional Prompt.
Summary
With expanded WebAuthn support Duo’s MFA is stronger than ever and it’s available in all Duo editions. By introducing WebAuthn as an authenticator in your environment you can improve user experience while reducing friction. Get started today!