WebAuthn with FIDO Security Keys
Published on August 23, 2022In this lab, you will:
- Define an MFA Factor using security keys.
- Define, apply, and test an MFA policy.
MFA with a FIDO Security Key
What is MFA?
When you configure Multi-Factor Authentication (MFA) to use a security key as an authentication factor, your users will have to connect their security key to a device to complete the login transaction. This interaction implies that your users can prove their digital identity by providing:
- Something they know: your users know their login credentials.
- Something they own: your users have a security key that they have registered to use with MFA.
What are security keys?
A security key is a device that works as an authentication factor. Its primary objective is to make Multi-Factor Authentication (MFA) as easy and fast as possible. After you enter the first authentication factor (username and password or social login), you connect your security key to your device and press or tap a button to activate it. The security key sends a code to the application, completing the login process.
You can read our "The Working Principles of 2FA (2-Factor Authentication) Hardware" blog post to learn more about the details on how security keys work and why they are the strongest possible authentication factor.
These are some key takeaways on the advantages of security keys when compared to using a smartphone-only authenticator for MFA:
- They protect against phishing and man-in-the-middle attacks.
- They promote user privacy as they don't require a personal device.
- They provide one-touch login without having to take out a mobile phone to complete an authentication challenge.
- Users can register multiple keys with applications, minimizing business disruption and the chances of account lockout.
Some of the most popular security keys are Yubikey and Google Titan. These keys come in different sizes and offer different connection options, such as USB-A, USB-C, and Lightning. Some keys are NFC-enabled so that you can use them without physically connecting the key to a device: you simply tap and go!
Security companies build these devices based on open standards. The FIDO Alliance has standardized the design of security key software, which makes them easy to use and reliable. Developers allow their users to use security keys on web applications by implementing the Web Authentication API (WebAuthn), which is part of the FIDO2 standard. End-users can register their security keys with any application that supports the standard.
When users authenticate with WebAuthn, they can use something they have as an authentication factor, such as a security key. Auth0 supports using FIDO-compliant security keys to perform MFA. Let's see that in action!
Lab Setup
Required hardware
You need a security key to complete this lab. If you are attending an Auth0 workshop in person, please reach out to any workshop mentors to receive one if you haven't already.
Create an Auth0 Account
If you already have an Auth0 account, you can log in to your tenant and continue to the next step.
Otherwise, sign up for a free Auth0 account.
During the sign-up process, you create something called an Auth0 Tenant, representing the product or service to which you are adding authentication.
Define an MFA Factor
For this exercise, you'll configure the "WebAuthn with FIDO Security Keys" factor by following these steps:
- Head to the Auth0 Dashboard.
- Locate the "Security" section on the left-hand menu. Under this section, click the "Multi-factor Auth" sub-section.
- Click the "WebAuthn with FIDO Security Keys" option under the "Factors" list to open its configuration page.
- Click the toggle button to enable this factor, which turns the button green.
What is user verification for security keys?
The "WebAuthn with FIDO Security Keys" configuration page presents you with a "User Verification" section. In the context of a security key, user verification is the process of verifying that the person authenticating is authorized to use the security key. When you enable this feature, the browser will ask the user logging in to enter a PIN or use a touch sensor to complete the WebAuthn challenge.
Some browsers don't implement key user verification properly. Additionally, user verification does not work for FIDO1 keys. As such, it's best to set this option to "Never" or "If supported".
"Never" is the default value as it's usually good enough when you are using security keys for MFA. In the context of MFA, users must enter a username/password combination or use social login before using their security keys as part of the authentication process. As such, your users have already provided some form of user verification before the browser prompts them to use their security keys.
Define an MFA Policy
Once you have configured your MFA factor, click the "Back to Multi-factor Authentication" link at the top of the page.
Once you are back on the "Multi-factor Authentication" page, scroll past the "Factors" section and locate the "Define policies" section. Recall that an MFA policy determines when Auth0 will prompt your users to provide additional authentication factors to log in successfully. You must define a policy to enforce MFA in your applications.
Looking at the "Require Multi-factor Auth", you'll notice that "Never" is the default selection. This selection means that Auth0 will never require users to authenticate using an additional factor for any application registered under your Auth0 tenant.
For this exercise, select "Always" to always require an additional authentication factor to log in. Then, click the "Save" button.
Did you get a warning about enabling MFA?
You may see a modal warning you about the possible consequences of always requiring MFA:
All new and existing users who are not enrolled in Multi-factor Authentication will be required to enroll using one of the enabled factors the next time they log in. This will apply across all applications within your tenant.
If it shows up, click the "Continue" button.
Test Your MFA Strategy with Security Keys
Use the Auth0 Dashboard to log in
Instructions
- Visit the Auth0 Dashboard home page.
- Locate the "Try your Login box" under the "Next Steps" section.
- Click the "Try it out" link.
- Log in using any of the available login options.
Expected results
The Auth0 Universal Login page should prompt you to use two authentication factors to complete your login—or sign-up:
- If you sign up, you need to provide...
- Something you know: You must create a username/password combination or use a social login provider like Google (if you have enabled that feature in your Auth0 tenant).
- Something you have: You'll have to enroll your security key.
- If you log in, you need to provide...
- Something you know: You must use a username/password combination or a social login provider like Google.
- Something you have: You'll have to connect and tap your security key.
Recap
You have effectively set up MFA, reducing the likelihood of many cyber-attacks. It's common for third parties to steal usernames and passwords or programmatically attack user accounts. An additional MFA factor, such as WebAuthn with FIDO Security Keys, impedes these violations, protecting the data and privacy of your users.
You can allow your users to enroll in MFA using different factors. Follow the "WebAuthn with Biometrics" lab to learn how to set up Multi-Factor Authentication (MFA) using biometrics as an authentication factor.