In contrast to older measures that used a password, WebAuthn offers several advantages for users and website operators alike. The convenience and ease should be enough to entice users: the fact that there is no need to memorize information anymore. This is great news in terms of security: The use of passwords is, after all, only conditionally secure. Either they can be cracked (with brute force or rainbow tables, for example) or the passwords are obtained through phishing. With WebAuthn, there is no way that a password can be passed on by accident.
Since the new standard does not transmit identity data over the internet, a man-in-the-middle attack, in which data is tapped during transmission, won’t be successful. In addition, the authenticity certificate is cryptographically secured by the public key procedure during transfer.
The fact that all sensitive data remains on the user’s device is also an advantage for website operators. Providers of services that require registration currently need to invest a lot of energy and expertise into securing passwords and user names. There could be catastrophic consequences if criminals manage to infiltrate the provider’s databases. Companies that are unable to prevent attacks like these face serious consequences, as well as causing suffering to their users due to this significant data misuse – especially if they use the credentials on other platforms.
WebAuthn is also considered more secure than multi-factor authentication. Although the additional identity feature, which is queried when logging in via MFA, offers additional protection, this doesn’t come without risk. Some authentication features – such as a one-time password via SMS – can be intercepted relatively easily. In addition, these short-term passwords have also become popular targets for phishing attacks. In addition: MFA is a relatively time-consuming process. WebAuthn works faster and is therefore more user-friendly.
However, there are disadvantages if a new authenticator has to be registered for an existing account. For example, if the hardware token is lost, you need a new one. This new token isn’t so easy to link to the existing profile since it would be too great a security risk. Instead, you must either have a replacement authenticator that is intended exactly for this use, or you must reset it. The latter is similar to resetting a password and is best suited to services that do not require a high security standard.