Passwordless Authentication with WebAuthn | WordPress

Passwordless Authentication with WebAuthn

Passwordless authentication allows users to log in without the need of remembering a password. Instead of conventional username and password,WebAuthn allows you to use the login methods already set up on your device. So using Web Authentication, you would be able to use the fingerprint sensor on your phone, or Windows Hello on your PC, or you could even use your Apple ID to login into any website.

The supported methods include but are not limited to:

• Windows Hello
• Fingerprint Sensors on both Laptops/Mobiles
• Windows PIN
• Yubikey
• Face Authentication

Most of the users might use the same credentials for different systems. This substantially weakens the security of all those websites if the credentials are leaked or obtained by an unauthorized user. Web Authentication is a fairly new specification, created for the new age of the internet and new technologies therein. Giving us the resources and the infrastructure to use various authentication methods.

Unlike its predecessor, WebAuthn should be here to stay. Although the fine points of the spec are complex, Web Authentication has been fairly easy to implement in practice. At the time of writing this, both Chrome and Firefox have the data types necessary for WebAuthn, and Firefox’s Nightly Build is able to create and request credentials. We’ll talk a bit later on about what this new standard could mean for the future of passwords (sorry, they’re probably not going away tomorrow), but first, a bit more about the core components of the WebAuthn API.

Web Authentication vs Conventional Authentication Methods

The big thing that WebAuthn wants to provide is biometric multi-factor authentication based on “Something a user is.” A user (in most cases) has a voice, a fingerprint, or a retina, that is unique to them. Something most users also have nowadays is a biometric device, like a smartphone, that can use this data to create and manage credentials that only the user can access through these unique traits.
To see implementations of WebAUthn in real life, you can go to Github, who natively supports Web Authentication as a login method. For a web demo, you can have a look at the entire implementation here. https://webauthn.io/

Enabling WebAuthn for your WordPress Website

miniOrange currently is the only way to reliably get WebAUthn working on your WordPress website. Using our Two Factor Authentication plugin, you will be able to use Web Authentication as a second factor. miniOrage provides a secure two-factor authentication mechanism plugin for multiple platforms (WordPress, Atlassian, Drupal, Magento & Moodle) which adds an extra layer of security to your company’s databases and website. Through these plugins, you will get access to several authentication methods that can restrict the user’s credentials from being shared with anyone, on purpose, or by accident. When the user enters his/her correct username and password they are prompted with a second-factor authentication page, in order to login successfully. We offer 15+ authentication methods which include OTP over Email, OTP over SMS, hardware token, QR code authentication, Google authenticator etc.

What are the benefits of Passwordless Authentication with WebAuthn?

• Better Security

  User controlled passwords are a major vulnerability because users reuse passwords and are able to share them with others.
  
  The security of passwordless authentication systems depends on the proof of identity required and their implementation.
  
  For example, using secure push notifications to the account holder’s mobile device is generally considered more secure than passwords. One TIme Password over SMS on mobile devices are generally used as a second factor of authentication apart from traditional username and password combination.




• Better Control

  Phishing, reuse, and sharing are common issues when relying on passwords, with passwordless login users have better control over their account and are less susceptible to phishing.
  With passwords out of the picture, both user experience and security improve.

What does Passwordless Login prevent with WebAuthn?

• Password Spraying

  Password spraying is an attack that attempts to access a large number of accounts (usernames) with a few commonly used passwords. Traditional brute-force attacks attempt to gain unauthorized access to a single account by guessing the password.
  
  In password spraying, an attacker tries combinations of username and passwords from the list of commonly used passwords.




• Credentials Stuffing

  Credentials stuffing is a type of attack in which stolen credentials are used which consists of a list of usernames along with their passwords. Credentials stuffing is different from the brute force attack in the sense that it does not try to guess the credentials of a user rather uses a list of credentials leaked.
  
  Credential stuffing attacks are possible because many users reuse the same username/password combination across multiple sites, with one survey reporting that 81% of users have reused a password across two or more sites and 25% of users use the same passwords across a majority of their accounts.




• Brute Force Attack

  Brute force attack is a type of attack in which a combination of username and password is guessed by trial and error. It consists of repeated login attempts made with different combinations each time. Guessing a short password can be relatively simple, but that isn’t necessarily the case for longer passwords or encryption keys, the difficulty of brute force attacks grows exponentially the longer the password or key is.

Passwordless Login in WordPress using miniOrange 2 Factor Authentication plugin with WebAuthn

The login can be done by username and 2-factor or only username which can be decided based on the user role. If a role is not allowed for passwordless login they will log in with a password and username.

There are Two options:

• Login with Password + 2nd Factor:

  You can log in with WordPress username + password, and then 2nd-factor authentication.




• Login with 2nd Factor only:

  In this second option you get variations of Username + Password and Username + 2-Factor Authentication in the same window.

What are the add-ons related to WordPress Login?

• Enforce two-factor verification to WordPress users during user enrollment

  With the miniOrange two-factor plugin for WordPress login, you can notify WordPress users to configure Telegram verification during inline registration so that the second security layer will get added to their WordPress account.



• two-factor verification compatible with Woocommerce forms

  This method of verification is compatible with almost all WordPress login forms and also with the WooCommerce form.



• Passwordless Login with two-factor Verification

  You can set Passwordless Login to your WordPress login with no worries by setting up Telegram verification with just simple steps.



• Customization

  miniOrange login security also provides customization options. You can customize the two-factor prompt user interface according to the design of your WordPress website.



• Backup methods

  In case you lose your two-factor authentication ability, you will also get backup methods like an alternate two-factor method or alternate extra security solution to get back to your WordPress account.