Kathleen Moriarty

Tracing the Evolving Levels of Support for WebAuthn

Kathleen Moriarty

26 min read

13 You have liked this article 0 times.
0

You've likely been hearing about the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) and wondering if you're ready to implement it in your environment. Here's everything you need to know!


One of the reasons WebAuthn is gaining traction is because it not only helps deprecate passwords but also prevents credential theft. It does this by using public/private key pairs for multi-factor authentication (MFA), which prevents a cyber threat actor (CTA) from stealing or replaying credentials. And all while being simpler to implement than a full PKI solution. (An earlier blog covered the different types of MFA schemes and linked to an NSA evaluation of MFA solutions against the NIST Special Publication 800-63 Authentication Levels.)

WebAuthn is just one of the authentication protocols that fit into the FIDO Alliance framework enabling public/private key pair authentication across platforms and applications. The solution set evolved from Google’s Universal 2 Factor (U2F) that was first contributed to the FIDO Alliance for development and then to W3C, where WebAuthn emerged. The FIDO Alliance also developed a related authentication protocol, the Client to Authenticator Protocol (CTAP), to support non-web applications.

For authentication protocols in the FIDO Alliance Framework, each user and application combination has a unique public/private key pair where mutual authentication is performed using these keys to digitally sign challenges. Since the signed challenges pass on the wire, credentials cannot be replayed or easily captured. (You might be hearing more about secure passwordless authentication these days. Passwordless authentication is possible because of the proliferation of these standards.)

In a memo dated January 26, 2022, the US Office of Management and Budget specifically called out W3C’s WebAuthn along with public key infrastructure (PKI) as one of the acceptable authentication methods for the federal government to implement by the end of fiscal year 2024 because of its phishing-resistant properties. The memo requires a zero-trust approach where MFA is required at the application layer instead of the network layer. This is a change in guidance from the model before adoption of zero-trust, with remote access or administrator-level access being more common as a sole requirement for MFA. The requirement provides incentives for vendors who have not yet integrated the standard to do so now. As a result, many applications, existing Identity and Access Management (IAM) frameworks, directory services (e.g. LDAP, ActiveDirectory), credential providers (CP), and identity providers (IDP) support WebAuthn or are planning to support the appropriate protocol in the FIDO Framework.

Determining Support for Your Environment

There are many levels of support for emerging protocols, including fully certified solutions that are listed on the FIDO Alliance Certified Products web page. W3C also promotes support of WebAuthn in products, as it works closely with client vendors to ensure wide support in web browsers, devices, and client operating systems. Some point products have support integrated at some level, but the applications aren't certified. Additionally, in many cases, a credential provider may provide support or integration through a directory service such as LDAP or ActiveDirectory. If your organisation’s applications are not listed directly in one of these lists, developers and administrators should look to the following resources to determine if it is possible to close the gap for their environment:

There are a large number of products that support WebAuthn and other standards in the FIDO Framework. W3C worked diligently with browser vendors and other client application vendors to ensure that access using these standards would be possible from most devices and systems. The data provided by the FIDO Alliance and W3C on support are regularly updated; however, it is not necessarily connected in a way that is easy for organisations to determine if all the products they care about most in their environments have support.

As such, the Center for Internet Security (CIS) conducted market research to determine if we could bridge that gap minimally as a point-in-time snapshot to determine readiness for implementation. Support is grouped in categories that may help to determine if clients, applications, and devices have the support needed to move to WebAuthn and the FIDO Framework.

Identity and Credential Provider Support

Identity providers (IdP) create, store, and manage digital identities. Credential providers manage authentication credentials that can be assigned to an identity. While many organisations manage their own credentials, some can outsource these efforts to ease management. (This may be more common for some types of multi-factor authentication protocols.) In some cases, an IdP is also a credential provider. Many organisations already use a credential provider where support for newer authentication protocols such as WebAuthn is available. Additionally, several One-Time Password (OTP) solution providers have expanded to become credential providers by supporting additional authentication protocols such as WebAuthn.

The dropdown below is a table listing the credential providers discovered in our research that support WebAuthn.

NOTE: For updates to all the following tables, go check the original article over on the CIS blog.

Identity and Credential Providers
Company/Solution MFA Factor Type WebAuthn Support
Auth0 Push notifications, SMS, Voice, One-Time Passwords, WebAuthn with security keys and device biometrics, Email Yes
CyberArk QR Code, Push notification, PINs, Authenticator App, OTP, Phone Call, SMS, Email, Hardware Token, Biometric Yes
Duo Duo Push, WebAuthn, Biometrics, Tokens, Passcodes Yes
Google Cloud Hardware security keys, phone as a security key, mobile device push notifications, SMS, and voice calls Yes
IBM Security Verify SMS/Email/Voice Callback OTP, TOTP, IMB Verify App (user presence and biometric), FIDO authenticator Yes
LoginTC Passwords, four-digit personal identification numbers, OTPs, hardware token, security key, key fob, SIM Card, Biometric Yes
Microsoft Azure AD Microsoft Authenticator app, Windows Hello for Business, FIDO2 security key, OATH hardware token, OATH software token, SMS, Voice Call Yes
MiniOrange SMS, Phone Callback, Multi-Factor Authenticator Apps, miniOrange Authenticator, Email, Hardware Token, Security Questions Yes
Okta Passwords, Security Questions, SMS/Voice/Email, Verification, FIDO Certified Hardware, WeAuthn Yes
OneLogin OTP app, email, SMS, voice, WebAuthn for biometric factors, third-party options Yes
PingID/PingFederate Mobile push, email OTP, SMS OTP, TOTP authenticator apps, QR codes, magic links, FIDO2-bound biometrics, security keys Yes
RSA SecurID Access Push-to-approve, one-time passcodes, biometrics, FIDO-based authentication Yes
SailPoint Mobile push, email OTP, SMS OTP, authenticator app,biometrics, security keys and tokens No, needs to be paired with another solution

VPN and VDI WebAuthn Support

Before zero trust was prominent, MFA was minimally required for remote access and administrator functions. As such, assessing support on these devices is likely a first step for your organisation. One way to determine if support is possible is to look at the methods used for managing authentication of end users.

The following services or protocols are used as ways to support many types of authentication and allow for an indirect method to support WebAuthn:

  • If ActiveDirectory, LDAP, or Radius is listed as supported, it may be possible to configure your virtual private network (VPN) to require WebAuthn as the MFA protocol.
  • If a credential provider is used in combination with a particular application, service, or remote infrastructure login and the credential provider supports WebAuthn, that could also be indicative of support.
  • If a particular product works with a credential provider and that credential provider supports WebAuthn, the VPN product may indirectly support WebAuthn via this service.
  • CIS confirmed with VMware that virtual desktop interface (VDI) support exists for browser-based access and that client-based access is a work-in-progress. This confirmation followed from the direct request from a member.

CIS research has confirmed support for WebAuthn in the following market leader products for VPN and VDI:

Top VPN Providers (Gartner Source for Product List)
Company Product Name WebAuthn or PKI Certificate Authentication Support
AccelPro AccelPro Secure Access PKI certificate authentication, Additional methods possible
Apple IKEv2 Supported directly
Array Networks AG series, vxAG SSL VPN Supported through identity providers and SSO
Aryaka SmartACCESS, Private Access No, device-based authentication
AT&T VPN Gateway Possible through identity provider
Awingu Awingu Supported through multiple identity and credential providers
Blockbit Blockbit Network Security Unknown
Certes Networks CryptoFlow Unknown
Cisco AnyConnect Supported through multiple identity and credential providers
Citrix Citrix Gateway Supported through multiple identity and credential providers
Cloud Point Software Check Point Capsule PKI certificate authentication and WebAuthn possible through MFA credential providers
Cradlepoint Cloud Network Engine Platform Unknown
Dell Technologies Firewall SSL VPN Supported through multiple identity and credential providers
F5 Big-IP TLS VPNs Supported through identity providers and SSO
Fortinet FortiClient Supports RADIUS
Google Cloud VPN Supported directly and through identity providers
Hillstone Networks Hillstone Networks IPsec VPNs Supports Xauth
HPE (Aruba) Virtual Intranet Access (VIA) VPN PKI certificate authentication and WebAuthn possible through MFA credential providers
Ivanti Ivanti Sentry No, device-based authentication
Microsoft DirectAccess-IPsec VPN, Web Application Proxy-TLS Gateway MFA via Azure AD
Oracle Oracle Mobile Platform MFA supported through Oracle Mobile Authenticator and Google Authenticator
Palo Alto Networks Global Protect Supported through multiple identity and credential providers
Pulse Secure Mobile VPN PKI certificate authentication and WebAuthn possible through MFA credential providers
Sangfor Technologies Sangfor SSL VPN Unknown
SonicWall SonicWall Global VPN Client, SonicWall Secure Mobile Access Supported through multiple identity and credential providers
Watchguard Mobile VPN with SSL, IPsec VPN Client, Basic VPN Client No, WebAuthn listed

Zero Trust Network Access (ZTNA) Products

Zero-trust network access (ZTNA) products provide dedicated and secure access to individual applications supporting zero-trust principles, including strong multi-factor authentication and dynamic authentication. Ideally, ZTNA products would also cover the full set of tenets for zero-trust; however, for this blog and research, the focus is on MFA.

ZTNA market leaders are included below along with an indication of their support for WebAuthn as an MFA method. If a product is highlighted in green, verification of support is possible and clear from the vendor or through a certification process result. Gartner assessed ZTNA market penetration in June 2022 at 5-20%, with an expected year-over-year growth rate of 60%. VPNs may be more prevalent today, but this should change with zero-trust adoption initiatives underway.

Zero Trust Network Access Products
Company Product Name WebAuthn or PKI Certificate Authentication Support
Absolute Software (NetMotion) NetMotion ZTNA PKI certificate authentication, additional methods possible
Akamai Enterprise Application Access WebAuthn and other MFA methods supported
Appgate Appgate SDP No WebAuthn; OTP, Biometrics, and Push available
Axis Axis Platform No WebAuthn listed or certification
Banyan Security Zero Trust Remote Access PKI certificate authentication and WebAuthn possible through MFA credential providers
Bitglass Zero Trust Network Access PKI certificate authentication and WebAuthn possible through MFA credential providers
BlackRidge Transport Access Control Device and IoT Access Products
Broadcom Symantec Secure Access Cloud May be possible via credential provider, SAML supported for SSO
Cato Cato Secure Remote Access May be possible through edentity and credential provider, SSO supported
Check Point Software Technologies Harmony Connect Supported through identity and credential provider
Cisco Duo Beyond Supported through identity and credential provider
Citrix Secure Private Access Supported through identity and credential provider
Cloudaemon (China) Taiji Perimeter Unknown
CloudDeep Technology(China only) Deep Cloud SDP Unknown
Cloudflare Cloudflare Access Available through select identity providers
Cognitas Technologies Crosslink Supported through identity provider
Cyolo Zero Trust Network Access (ZTNA) 2.0 Supported through identity provider
Deloitte (Transientx) TransientAccess May be possible through identity provider
Forcepoint Private Access Supported through identity provider
Google BeyondCorp Remote Access Supported directly and through identity providers
Google Cloud Platform Identity-Aware Proxy Supported directly and through identity providers
InstaSafe Zero Trust Remote Access Supported through identity providers and SSO
Ivanti Ivanti Neurons for Secure Access No, device-based authentication
Jamf Jamf Private Access Supported through identity provider
McAfee MVISION Private Access Supported through identity provider
Microsoft Azure AD Application Proxy Supported through Azure AD identity management
Web Application Proxy for Windows Server Supported directly
NetFoundry Zero Trust Networking Platform No Webuthn or PKI Support, MFA via Google Authenticator
Netskope Netskope Private Access Supported through identity providers and SSO SAML
Okta Okta Identity Cloud Supported through identity provider (Okta is also an IdP.)
Palo Alto Networks Prisma Access Supported through credential providers
Perimeter 81 Zero Trust Network Access Supported through identity providers
Safe-T Zone Zero Supports RADIUS and Open Authentication (OATH)
SAIFE Continuum Supported through identity providers
Systancia Systancia Gate Supported directly (PAM product)
Trusfort Zero-Trust Business Security Unknown
Twingate Twingate Supported through identity provider
Unisys Stealth No, other MFA protocols supported
Verizon Verizon Software Defined Perimeter (SDP) No, other MFA and passwordless solutions supported
Versa Versa Secure Access MFA supported through ActiveDirectory, LDAP, or RADIUS
Waverley Labs Open Source Software Defined Perimeter Unknown
Zentera Systems Secure Access ZTNA Supported through identity provider
Zero Networks Access Orchestrator No, Access Orchestrator provides asset-focused MFA
Zscaler Private Access Supported through identity provider

Source for Vendors in ZTNA Chart

Operating System and Desktop Client Support

Operating system support is included and mapped against the market adoption for client systems.

Operating System and Desktop Client Support
Operating System FIDO2/WebAuthn Support Browser Platform Authenticators Roaming Authenticators (FIDO Certified Hardware, Titan Keys, etc.)
Android 7+ Yes Chrome Yes Yes
Safari N/A N/A
Firefox No No
Brave No No
Edge No No
Windows 10+ Yes Chrome Yes Yes
Safari N/A N/A
Firefox Yes Yes
Brave Yes Yes
Edge Yes Yes
macOS Yes Chrome Yes Yes
Safari Yes Yes
Firefox No Yes
Brave Yes Yes
Edge Yes Yes
iOS Yes Chrome Yes Yes
Safari Yes Yes
Firefox Yes Yes
Brave Yes Yes
Edge Yes No
Linux Partial Support Chrome \ Yes
Safari N/A N/A
Firefox \ Yes
Brave \ Yes
Edge \ Yes

Web Browser and Device Support

The following clients support WebAuthn, providing broad coverage to enable access to applications and services.

The following devices support WebAuthn and/or CTAP.

Web Browser and Device Support
Destop Browser Version(s) WebAuthn Support
Chrome Versions 67 - 109 Yes
Edge Versions 18 - 106 Yes
Safari Versions 13 - 16.2 Yes
Firefox Versions 60 - 108 Partial support
Opera Versions 54 - 92 Yes
Brave Version 1.45.113 Yes
Mobile Browser Version(s) WebAuthn Support
Chrome for Android Version 106 Yes
Safari on iOS* Version 13.3 - 14.4Versions 14.5 - 16.1 Partial support, yes
Samsung Internet 17.0 - 18.0 Yes
Opera Mini* all No
Opera Mobile* Version 64 Yes
UC Browser for Android Version 13.4 Yes
Android Browser* Version 106 Yes
Firefox for Android Version 105 Partial support
QQ Browser Version 13.1 Yes
Baidu Browser Version 13.18 Yes
KaiOS Browser Version 2.5 Yes

Application Support

The list of web-based applications supporting WebAuthn and FIDO can be found in this certified product list from the FIDO Alliance. Additional applications may support these protocols, or it may be possible to integrate applications for support through existing infrastructure as discussed earlier in the blog.

Several token providers offer lists of applications that also support protocols in the FIDO Framework. As such, the links are provided to aid research on application support of WebAuthn, CTAP, and FIDO protocols.

Hideez list of supported applications.

Yubico list of Application and Services supporting FIDO Certified Hardware Tokens

CIS researched several cloud-based or hosted application services to determine the level of support for WebAuthn and PKI certificate-based authentication. It maintains the list in the table below.

Cloud-based Services
Company Product Name WebAuthn or PKI Certificate Authentication Support
ADP ADP Supported through identity providers and SSO SAML
Amazon Web Services AWS Supported directly
Apache Cloud Stack Credential and identity providers through OpenID Connect
Asana Asana Yes, through OpenID Connect
Atlassian Jira Supported directly
Confluence
Bitbucket
Trello
Basecamp Basecamp Supported directly
BlueJeans BlueJeans Supported through identity providers and SSO SAML
Concur Concur Supported through identity providers and SSO SAML
Dropbox Dropbox Supported directly
Expensify Expensify Supported through identity providers and SSO SAML
Meta Facebook Supported though identity providers and SSO
GitHub GitHub Supported directly
Google Google Meet Supported directly and through identity providers
Google Cloud Platform
Google Analytics
Google Drive
Hootsuite Hootsuite Supported through identity providers and SSO SAML
HubSpot HubSpot No WebAuthn or PKI support, MFA through multiple authentication apps
IBM Compose Supported directly
IBM Cloud
LinkedIn LinkedIn Supported though identity providers and SSO
Microsoft Microsoft Teams Supported through Azure Active Directory
Microsoft Azure Supported through Azure Active Directory
Office 365 Supported directly
OnApp OnApp Supported through identity providers and SSO SAML
Salesforce Salesforce Supported directly
Salesmate Salesmate Supported through identity providers and SSO SAML
SAP SAP Supported through identity providers and SSO SAML
Sentry Sentry Supported directly
ServiceNow Enterprise CX Supported through identity providers and SSO SAML
Shopify Shopify Supported through identity provider
Slack Slack No WebAuthn or PKI support, MFA through multiple authentication apps
Square Square WebAuthn supported through 3-D Secure
Twitter Twitter Supported directly
Voluum Voluum No WebAuthn or PKI support, MFA through multiple authentication apps
Webex Webex No WebAuthn or PKI support, MFA through multiple authentication apps
Zoom Zoom No WebAuthn or PKI support, MFA through multiple authentication apps

Expanding Support for WebAuthn

As you'll see from the research above, support is quite prominent for WebAuthn and related protocols in the FIDO Alliance Framework. If you are considering MFA for the first time or revising your solution set, it is a technology that will be worth the investment in terms of the protection offered and where it is on the path to adoption. WebAuthn has strong support as buyers increasingly request the protocol due to the strength of the solution and the projected longevity from sources such as the U.S. federal government and CISA.

We'll update our market research as the solution space evolves. In the meantime, if you see something that warrants a correction, you can get in touch with us below.


Additional information on multi-factor authentication and authorisation technologies can be found in the following resources:

This article was originally published over on the CIS blog.

13 You have liked this article 0 times.
0

You may also like

View more

About the author

Kathleen Moriarty, technology strategist and board advisor, helping companies lead through disruption. Adjunct Professor at Georgetown SCS, also offering two corporate courses on Security Architecture and Architecture for the SMB Market. Formerly as the Chief Technology Officer, Center for Internet Security Kathleen defined and led the technology strategy, integrating emerging technologies. Prior to CIS, Kathleen held a range of positions over 13 years at Dell Technologies, including the Security Innovations Principal in Dell Technologies Office of the CTO and Global Lead Security Architect for EMC Office of the CTO working on ecosystems, standards, risk management and strategy. In her early days with RSA/EMC, she led consulting engagements interfacing with hundreds of organisations on security and risk management, gaining valuable insights, managing risk to business needs. During her tenure in the Dell EMC Office of the CTO, Kathleen had the honor of being appointed and serving two terms as the Internet Engineering Task Force (IETF) Security Area Director and as a member of the Internet Engineering Steering Group from March 2014-2018. Named in CyberSecurity Ventures, Top 100 Women Fighting Cybercrime. She is a 2020 Tropaia Award Winner, Outstanding Faculty, Georgetown SCS. Keynote speaker, podcast guest, frequent blogger bridging a translation gap for technical content, conference committee member, and quoted on publications such as CNBC and Wired. Kathleen achieved over twenty five years of experience driving positive outcomes across Information Technology Leadership, short and long-term IT Strategy and Vision, Information Security, Risk Management, Incident Handling, Project Management, Large Teams, Process Improvement, and Operations Management in multiple roles with MIT Lincoln Laboratory, Hudson Williams, FactSet Research Systems, and PSINet. Kathleen holds a Master of Science Degree in Computer Science from Rensselaer Polytechnic Institute, as well as, a Bachelor of Science Degree in Mathematics from Siena College. Published Work: - Transforming Information Security: Optimizing Five Concurrent Trends to Reduce Resource Drain, July 2020.

Comments 0