Introduction to WebAuthn

WebAuthn is reshaping authentication by enhancing security and reducing reliance on traditional passwords. A significant part of this standard involves "User Presence" (UP) and "User Verification" (UV). Both play crucial roles in passkey-based authentication, ensuring a secure and user-friendly login experience. This guide analyzes how UP and UV function and their importance in building a secure authentication framework.

Read full blog post here

What is User Presence in WebAuthn?

User Presence (UP) confirms that the user is physically interacting with the device during authentication. It doesn't verify the user's identity but prevents remote attacks by requiring the user to engage directly with the device. For instance, when using a security key like a YubiKey, the user must physically touch the key to signal their presence. In software-only implementations like passkeys on desktops, the system prompts a dialogue to ensure the user's involvement, mitigating the risk of unauthorized login attempts from compromised devices.

What is User Verification in WebAuthn?

User Verification (UV) takes security a step further by confirming the user's identity, typically via biometrics (like facial recognition or fingerprints) or a PIN. Unlike UP, which just checks for presence, UV guarantees that the person attempting authentication is indeed the rightful owner of the credentials. This process is triggered by the relying party (RP) that requests authentication, and the authenticator responds by verifying the individual and relaying the result back to the RP.

Passkeys: Combining User Presence & Verification

Passkeys, which are designed as passwordless authentication methods, leverage both UP and UV depending on the security requirements. The user presence requirement is always necessary, but the application of user verification can vary based on the context and security policies of the application. Passkeys ensure a higher level of security, especially when used as part of multi-factor authentication (MFA), where they combine "something you have" (the device) and "something you are" (biometrics).

User Presence and Verification Across Platforms

Operating systems handle UP and UV differently. For instance, macOS might not enforce UV if biometric sensors aren't available in certain modes, such as when a laptop is in clamshell mode. This inconsistency highlights the need for developers to understand how different platforms handle these settings and ensure the security expectations are met across various user environments.

Practical Recommendations for Developers

• Using Passkeys as Single-Factor Authentication: In less critical systems, developers can rely on User Presence alone, with the fallback to email or one-time passwords (OTPs) if necessary. The default "preferred" UV setting is practical here.
• Passkeys in MFA Systems: When using passkeys as a second factor in MFA, developers should consider setting UV to "preferred" or even "discouraged" when a password or another primary method is already involved.
• Self-Contained MFA Systems: For systems requiring higher security, where passkeys serve as the sole MFA method, developers should use UV "required" during the registration process and ensure the same setting is enforced for all future authentications.

Key Takeaways for Successful WebAuthn Implementations

• Understanding the difference between User Presence and User Verification is essential for building secure applications.
• Always validate UP and UV flags during authentication to ensure compliance with security policies.
• Developers should be aware of the platform inconsistencies in handling UV and adjust their implementations accordingly.

Find out more about how you can implement secure passkeys with WebAuthn by visiting our detailed guide.