This series of articles gives a comprehensive introduction to W3C Web Authentication (WebAuthn). It is intended primarily for middleware deployers, especially deployers of SSO software. This of course includes the Shibboleth software but the material is not specific to Shibboleth.

Part 1 introduces the terminology of [Bonneau et al. 2012] and uses that evaluation framework to compare Password and Password via SSO. As expected, the comparison justifies the deployment of SSO middleware (which is now a widespread phenomenon).

Part 2 introduces the notion of an authenticator [NIST 800-63-3 2017] (previously called a token) by describing a handful of (well-known) single-factor authenticators. The article then compares these authenticators using the evaluation framework of [Bonneau et al. 2012] and shows how to combine and evaluate a pair of single-factor authenticators to achieve two-factor authentication. In particular, it compares Extended Password + OATH OTP and Extended Password + Mobile Push. It also compares Password + FIDO U2F with Google Security Keys (which should be equivalent).

Part 3 introduces W3C Web Authentication [W3C WebAuthn Level 1 2019] (better known as WebAuthn) and explains in some detail what is meant by the (confusing) term “passwordless web authentication.” A number of multi-factor authenticators are introduced for context before systematically comparing the Extended Password, FIDO U2F, Extended Password + FIDO U2F, and Passwordless + PIN web authentication schemes.

Part 4 speculates on what effects WebAuthn might have on existing middleware deployments. Assuming SSO throughout, the article compares Password, Password + Mobile Push, Password + FIDO U2F, and Passwordless. The steps required to implement a WebAuthn Relying Party are briefly outlined.

  1. The Quest to Replace Passwords

    1. An intro to the evaluation framework introduced by [Bonneau et al. 2012]

    2. A comparison of Password and Password via SSO

    3. Extending the framework

  2. Two-Factor Authentication

    1. An intro to single-factor authenticators

    2. A comparison of Password, Extended Password, OATH OTP, Mobile Push, and FIDO U2F

    3. Combining single-factor authenticators

    4. A comparison of Extended Password + OATH OTP and Extended Password + Mobile Push

    5. A comparison of Password + FIDO U2F and Google Security Keys

  3. Passwordless Web Authentication

    1. An intro to multi-factor authenticators

    2. An intro to the FIDO2 project and W3C Web Authentication (WebAuthn)

    3. A comparison of Extended Password, FIDO U2F, Extended Password + FIDO U2F, and Passwordless + PIN

  4. WebAuthn and Web Single Sign-On

    1. Assuming SSO throughout, a comparison of Password, Password + Mobile Push, Password + FIDO U2F, and Passwordless

    2. Implementing a WebAuthn Relying Party


[Bonneau et al. 2012] Bonneau, Joseph; Herley, Cormac; Oorschot, Paul C. van; Stajano, Frank (2012). “The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes.” University of Cambridge Computer Laboratory, Technical Report Number 817. Cambridge, UK. ISSN 1476-2986.

[NIST 800-63-3 2017] Grassi, Paul A.; Garcia, Michael E.; Fenton, James L. (June 2017). "NIST Special Publication 800-63-3: Digital Identity Guidelines". National Institute of Standards and Technology (NIST). doi:10.6028/NIST.SP.800-63-3.

[W3C WebAuthn Level 1 2019] Balfanz, Dirk; Czeskis, Alexei; Hodges, Jeff; Jones, J.C.; Jones, Michael B.; Kumar, Akshay; Liao, Angelo; Lindemann, Rolf; Lundberg, Emil (eds.). "Web Authentication: An API for accessing Public Key Credentials Level 1 (latest)". World Wide Web Consortium (W3C).