You've likely been hearing about the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) and wondering if you're ready to implement it in your environment. Here's everything you need to know!
One of the reasons WebAuthn is gaining traction is because it not only helps deprecate passwords but also prevents credential theft. It does this by using public/private key pairs for multi-factor authentication (MFA), which prevents a cyber threat actor (CTA) from stealing or replaying credentials. And all while being simpler to implement than a full PKI solution. (An earlier blog covered the different types of MFA schemes and linked to an NSA evaluation of MFA solutions against the NIST Special Publication 800-63 Authentication Levels.)
WebAuthn is just one of the authentication protocols that fit into the FIDO Alliance framework enabling public/private key pair authentication across platforms and applications. The solution set evolved from Google’s Universal 2 Factor (U2F) that was first contributed to the FIDO Alliance for development and then to W3C, where WebAuthn emerged. The FIDO Alliance also developed a related authentication protocol, the Client to Authenticator Protocol (CTAP), to support non-web applications.
For authentication protocols in the FIDO Alliance Framework, each user and application combination has a unique public/private key pair where mutual authentication is performed using these keys to digitally sign challenges. Since the signed challenges pass on the wire, credentials cannot be replayed or easily captured. (You might be hearing more about secure passwordless authentication these days. Passwordless authentication is possible because of the proliferation of these standards.)
In a memo dated January 26, 2022, the US Office of Management and Budget specifically called out W3C’s WebAuthn along with public key infrastructure (PKI) as one of the acceptable authentication methods for the federal government to implement by the end of fiscal year 2024 because of its phishing-resistant properties. The memo requires a zero-trust approach where MFA is required at the application layer instead of the network layer. This is a change in guidance from the model before adoption of zero-trust, with remote access or administrator-level access being more common as a sole requirement for MFA. The requirement provides incentives for vendors who have not yet integrated the standard to do so now. As a result, many applications, existing Identity and Access Management (IAM) frameworks, directory services (e.g. LDAP, ActiveDirectory), credential providers (CP), and identity providers (IDP) support WebAuthn or are planning to support the appropriate protocol in the FIDO Framework.
Determining Support for Your Environment
There are many levels of support for emerging protocols, including fully certified solutions that are listed on the FIDO Alliance Certified Products web page. W3C also promotes support of WebAuthn in products, as it works closely with client vendors to ensure wide support in web browsers, devices, and client operating systems. Some point products have support integrated at some level, but the applications aren't certified. Additionally, in many cases, a credential provider may provide support or integration through a directory service such as LDAP or ActiveDirectory. If your organisation’s applications are not listed directly in one of these lists, developers and administrators should look to the following resources to determine if it is possible to close the gap for their environment:
- FIDO2: Web Authentication (WebAuthn)
- FIDO Alliance: Getting Started for Developers
- FIDO Alliance: Learn More About FIDO Authentication
- W3C Web Authentication Standard
- Overview Video of WebAuthn
There are a large number of products that support WebAuthn and other standards in the FIDO Framework. W3C worked diligently with browser vendors and other client application vendors to ensure that access using these standards would be possible from most devices and systems. The data provided by the FIDO Alliance and W3C on support are regularly updated; however, it is not necessarily connected in a way that is easy for organisations to determine if all the products they care about most in their environments have support.
As such, the Center for Internet Security (CIS) conducted market research to determine if we could bridge that gap minimally as a point-in-time snapshot to determine readiness for implementation. Support is grouped in categories that may help to determine if clients, applications, and devices have the support needed to move to WebAuthn and the FIDO Framework.
Identity and Credential Provider Support
Identity providers (IdP) create, store, and manage digital identities. Credential providers manage authentication credentials that can be assigned to an identity. While many organisations manage their own credentials, some can outsource these efforts to ease management. (This may be more common for some types of multi-factor authentication protocols.) In some cases, an IdP is also a credential provider. Many organisations already use a credential provider where support for newer authentication protocols such as WebAuthn is available. Additionally, several One-Time Password (OTP) solution providers have expanded to become credential providers by supporting additional authentication protocols such as WebAuthn.
The dropdown below is a table listing the credential providers discovered in our research that support WebAuthn.
NOTE: For updates to all the following tables, go check the original article over on the CIS blog.
|Company/Solution||MFA Factor Type||WebAuthn Support|
|Auth0||Push notifications, SMS, Voice, One-Time Passwords, WebAuthn with security keys and device biometrics, Email||Yes|
|CyberArk||QR Code, Push notification, PINs, Authenticator App, OTP, Phone Call, SMS, Email, Hardware Token, Biometric||Yes|
|Duo||Duo Push, WebAuthn, Biometrics, Tokens, Passcodes||Yes|
|Google Cloud||Hardware security keys, phone as a security key, mobile device push notifications, SMS, and voice calls||Yes|
|IBM Security Verify||SMS/Email/Voice Callback OTP, TOTP, IMB Verify App (user presence and biometric), FIDO authenticator||Yes|
|LoginTC||Passwords, four-digit personal identification numbers, OTPs, hardware token, security key, key fob, SIM Card, Biometric||Yes|
|Microsoft Azure AD||Microsoft Authenticator app, Windows Hello for Business, FIDO2 security key, OATH hardware token, OATH software token, SMS, Voice Call||Yes|
|MiniOrange||SMS, Phone Callback, Multi-Factor Authenticator Apps, miniOrange Authenticator, Email, Hardware Token, Security Questions||Yes|
|Okta||Passwords, Security Questions, SMS/Voice/Email, Verification, FIDO Certified Hardware, WeAuthn||Yes|
|OneLogin||OTP app, email, SMS, voice, WebAuthn for biometric factors, third-party options||Yes|
|PingID/PingFederate||Mobile push, email OTP, SMS OTP, TOTP authenticator apps, QR codes, magic links, FIDO2-bound biometrics, security keys||Yes|
|RSA SecurID Access||Push-to-approve, one-time passcodes, biometrics, FIDO-based authentication||Yes|
|SailPoint||Mobile push, email OTP, SMS OTP, authenticator app,biometrics, security keys and tokens||No, needs to be paired with another solution|
VPN and VDI WebAuthn Support
Before zero trust was prominent, MFA was minimally required for remote access and administrator functions. As such, assessing support on these devices is likely a first step for your organisation. One way to determine if support is possible is to look at the methods used for managing authentication of end users.
The following services or protocols are used as ways to support many types of authentication and allow for an indirect method to support WebAuthn:
- If ActiveDirectory, LDAP, or Radius is listed as supported, it may be possible to configure your virtual private network (VPN) to require WebAuthn as the MFA protocol.
- If a credential provider is used in combination with a particular application, service, or remote infrastructure login and the credential provider supports WebAuthn, that could also be indicative of support.
- If a particular product works with a credential provider and that credential provider supports WebAuthn, the VPN product may indirectly support WebAuthn via this service.
- CIS confirmed with VMware that virtual desktop interface (VDI) support exists for browser-based access and that client-based access is a work-in-progress. This confirmation followed from the direct request from a member.
CIS research has confirmed support for WebAuthn in the following market leader products for VPN and VDI:
|Company||Product Name||WebAuthn or PKI Certificate Authentication Support|
|AccelPro||AccelPro Secure Access||PKI certificate authentication, Additional methods possible|
|Array Networks||AG series, vxAG SSL VPN||Supported through identity providers and SSO|
|Aryaka||SmartACCESS, Private Access||No, device-based authentication|
|AT&T||VPN Gateway||Possible through identity provider|
|Awingu||Awingu||Supported through multiple identity and credential providers|
|Blockbit||Blockbit Network Security||Unknown|
|Cisco||AnyConnect||Supported through multiple identity and credential providers|
|Citrix||Citrix Gateway||Supported through multiple identity and credential providers|
|Cloud Point Software||Check Point Capsule||PKI certificate authentication and WebAuthn possible through MFA credential providers|
|Cradlepoint||Cloud Network Engine Platform||Unknown|
|Dell Technologies||Firewall SSL VPN||Supported through multiple identity and credential providers|
|F5||Big-IP TLS VPNs||Supported through identity providers and SSO|
|Cloud VPN||Supported directly and through identity providers|
|Hillstone Networks||Hillstone Networks IPsec VPNs||Supports Xauth|
|HPE (Aruba)||Virtual Intranet Access (VIA) VPN||PKI certificate authentication and WebAuthn possible through MFA credential providers|
|Ivanti||Ivanti Sentry||No, device-based authentication|
|Microsoft||DirectAccess-IPsec VPN, Web Application Proxy-TLS Gateway||MFA via Azure AD|
|Oracle||Oracle Mobile Platform||MFA supported through Oracle Mobile Authenticator and Google Authenticator|
|Palo Alto Networks||Global Protect||Supported through multiple identity and credential providers|
|Pulse Secure||Mobile VPN||PKI certificate authentication and WebAuthn possible through MFA credential providers|
|Sangfor Technologies||Sangfor SSL VPN||Unknown|
|SonicWall||SonicWall Global VPN Client, SonicWall Secure Mobile Access||Supported through multiple identity and credential providers|
|Watchguard||Mobile VPN with SSL, IPsec VPN Client, Basic VPN Client||No, WebAuthn listed|
Zero Trust Network Access (ZTNA) Products
Zero-trust network access (ZTNA) products provide dedicated and secure access to individual applications supporting zero-trust principles, including strong multi-factor authentication and dynamic authentication. Ideally, ZTNA products would also cover the full set of tenets for zero-trust; however, for this blog and research, the focus is on MFA.
ZTNA market leaders are included below along with an indication of their support for WebAuthn as an MFA method. If a product is highlighted in green, verification of support is possible and clear from the vendor or through a certification process result. Gartner assessed ZTNA market penetration in June 2022 at 5-20%, with an expected year-over-year growth rate of 60%. VPNs may be more prevalent today, but this should change with zero-trust adoption initiatives underway.
|Company||Product Name||WebAuthn or PKI Certificate Authentication Support|
|Absolute Software (NetMotion)||NetMotion ZTNA||PKI certificate authentication, additional methods possible|
|Akamai||Enterprise Application Access||WebAuthn and other MFA methods supported|
|Appgate||Appgate SDP||No WebAuthn; OTP, Biometrics, and Push available|
|Axis||Axis Platform||No WebAuthn listed or certification|
|Banyan Security||Zero Trust Remote Access||PKI certificate authentication and WebAuthn possible through MFA credential providers|
|Bitglass||Zero Trust Network Access||PKI certificate authentication and WebAuthn possible through MFA credential providers|
|BlackRidge||Transport Access Control||Device and IoT Access Products|
|Broadcom||Symantec Secure Access Cloud||May be possible via credential provider, SAML supported for SSO|
|Cato||Cato Secure Remote Access||May be possible through edentity and credential provider, SSO supported|
|Check Point Software Technologies||Harmony Connect||Supported through identity and credential provider|
|Cisco||Duo Beyond||Supported through identity and credential provider|
|Citrix||Secure Private Access||Supported through identity and credential provider|
|Cloudaemon (China)||Taiji Perimeter||Unknown|
|CloudDeep Technology(China only)||Deep Cloud SDP||Unknown|
|Cloudflare||Cloudflare Access||Available through select identity providers|
|Cognitas Technologies||Crosslink||Supported through identity provider|
|Cyolo||Zero Trust Network Access (ZTNA) 2.0||Supported through identity provider|
|Deloitte (Transientx)||TransientAccess||May be possible through identity provider|
|Forcepoint||Private Access||Supported through identity provider|
|BeyondCorp Remote Access||Supported directly and through identity providers|
|Google Cloud Platform Identity-Aware Proxy||Supported directly and through identity providers|
|InstaSafe||Zero Trust Remote Access||Supported through identity providers and SSO|
|Ivanti||Ivanti Neurons for Secure Access||No, device-based authentication|
|Jamf||Jamf Private Access||Supported through identity provider|
|McAfee||MVISION Private Access||Supported through identity provider|
|Microsoft||Azure AD Application Proxy||Supported through Azure AD identity management|
|Web Application Proxy for Windows Server||Supported directly|
|NetFoundry||Zero Trust Networking Platform||No Webuthn or PKI Support, MFA via Google Authenticator|
|Netskope||Netskope Private Access||Supported through identity providers and SSO SAML|
|Okta||Okta Identity Cloud||Supported through identity provider (Okta is also an IdP.)|
|Palo Alto Networks||Prisma Access||Supported through credential providers|
|Perimeter 81||Zero Trust Network Access||Supported through identity providers|
|Safe-T||Zone Zero||Supports RADIUS and Open Authentication (OATH)|
|SAIFE||Continuum||Supported through identity providers|
|Systancia||Systancia Gate||Supported directly (PAM product)|
|Trusfort||Zero-Trust Business Security||Unknown|
|Twingate||Twingate||Supported through identity provider|
|Unisys||Stealth||No, other MFA protocols supported|
|Verizon||Verizon Software Defined Perimeter (SDP)||No, other MFA and passwordless solutions supported|
|Versa||Versa Secure Access||MFA supported through ActiveDirectory, LDAP, or RADIUS|
|Waverley Labs||Open Source Software Defined Perimeter||Unknown|
|Zentera Systems||Secure Access ZTNA||Supported through identity provider|
|Zero Networks||Access Orchestrator||No, Access Orchestrator provides asset-focused MFA|
|Zscaler||Private Access||Supported through identity provider|
Operating System and Desktop Client Support
Operating system support is included and mapped against the market adoption for client systems.
|Operating System||FIDO2/WebAuthn Support||Browser||Platform Authenticators||Roaming Authenticators (FIDO Certified Hardware, Titan Keys, etc.)|
Web Browser and Device Support
The following clients support WebAuthn, providing broad coverage to enable access to applications and services.
The following devices support WebAuthn and/or CTAP.
|Destop Browser||Version(s)||WebAuthn Support|
|Chrome||Versions 67 - 109||Yes|
|Edge||Versions 18 - 106||Yes|
|Safari||Versions 13 - 16.2||Yes|
|Firefox||Versions 60 - 108||Partial support|
|Opera||Versions 54 - 92||Yes|
|Mobile Browser||Version(s)||WebAuthn Support|
|Chrome for Android||Version 106||Yes|
|Safari on iOS*||Version 13.3 - 14.4Versions 14.5 - 16.1||Partial support, yes|
|Samsung Internet||17.0 - 18.0||Yes|
|Opera Mobile*||Version 64||Yes|
|UC Browser for Android||Version 13.4||Yes|
|Android Browser*||Version 106||Yes|
|Firefox for Android||Version 105||Partial support|
|QQ Browser||Version 13.1||Yes|
|Baidu Browser||Version 13.18||Yes|
|KaiOS Browser||Version 2.5||Yes|
The list of web-based applications supporting WebAuthn and FIDO can be found in this certified product list from the FIDO Alliance. Additional applications may support these protocols, or it may be possible to integrate applications for support through existing infrastructure as discussed earlier in the blog.
Several token providers offer lists of applications that also support protocols in the FIDO Framework. As such, the links are provided to aid research on application support of WebAuthn, CTAP, and FIDO protocols.
Hideez list of supported applications.
Yubico list of Application and Services supporting FIDO Certified Hardware Tokens
CIS researched several cloud-based or hosted application services to determine the level of support for WebAuthn and PKI certificate-based authentication. It maintains the list in the table below.
|Company||Product Name||WebAuthn or PKI Certificate Authentication Support|
|ADP||ADP||Supported through identity providers and SSO SAML|
|Amazon Web Services||AWS||Supported directly|
|Apache||Cloud Stack||Credential and identity providers through OpenID Connect|
|Asana||Asana||Yes, through OpenID Connect|
|BlueJeans||BlueJeans||Supported through identity providers and SSO SAML|
|Concur||Concur||Supported through identity providers and SSO SAML|
|Expensify||Expensify||Supported through identity providers and SSO SAML|
|Meta||Supported though identity providers and SSO|
|Google Meet||Supported directly and through identity providers|
|Google Cloud Platform|
|Hootsuite||Hootsuite||Supported through identity providers and SSO SAML|
|HubSpot||HubSpot||No WebAuthn or PKI support, MFA through multiple authentication apps|
|Supported though identity providers and SSO|
|Microsoft||Microsoft Teams||Supported through Azure Active Directory|
|Microsoft Azure||Supported through Azure Active Directory|
|Office 365||Supported directly|
|OnApp||OnApp||Supported through identity providers and SSO SAML|
|Salesmate||Salesmate||Supported through identity providers and SSO SAML|
|SAP||SAP||Supported through identity providers and SSO SAML|
|ServiceNow||Enterprise CX||Supported through identity providers and SSO SAML|
|Shopify||Shopify||Supported through identity provider|
|Slack||Slack||No WebAuthn or PKI support, MFA through multiple authentication apps|
|Square||Square||WebAuthn supported through 3-D Secure|
|Voluum||Voluum||No WebAuthn or PKI support, MFA through multiple authentication apps|
|Webex||Webex||No WebAuthn or PKI support, MFA through multiple authentication apps|
|Zoom||Zoom||No WebAuthn or PKI support, MFA through multiple authentication apps|
Expanding Support for WebAuthn
As you'll see from the research above, support is quite prominent for WebAuthn and related protocols in the FIDO Alliance Framework. If you are considering MFA for the first time or revising your solution set, it is a technology that will be worth the investment in terms of the protection offered and where it is on the path to adoption. WebAuthn has strong support as buyers increasingly request the protocol due to the strength of the solution and the projected longevity from sources such as the U.S. federal government and CISA.
We'll update our market research as the solution space evolves. In the meantime, if you see something that warrants a correction, you can get in touch with us below.
Additional information on multi-factor authentication and authorisation technologies can be found in the following resources:
- Why Are Authentication and Authorization So Difficult?
- Authentication and Authorization Using Single Sign-On
- Why OAuth Is So Important: An Interview with Justin Richer
- CISA Datasheet: Implementing Phishing-Resistant MFA
- CISA: Multi-Factor Authentication Overview
This article was originally published over on the CIS blog.