Web Authentication

It has long been known that passwords aren’t the end-all solution for online account security. Users like easy passwords, but they can be guessed or cracked. Admins like complex passwords, but they’re hard to remember and users often need to have them reset. Fraudsters, however, know that even the strongest passwords are vulnerable to social engineering and malware attacks.

Better solutions are out there, but implementation can be tricky. One new technology, Web Authentication, offers an alternative based on public-key cryptography. Could Web Authentication protocols finally be the thing to replace passwords as the standard way to validate identities online?

New call-to-actionPassword security isn’t functioning the way it’s supposed to—more than 80% of data breaches involve passwords that have been compromised in some way.

Meanwhile, many users are still using low-security or repeated passwords, and even more complex ones are far from safe.

Odds are good that you’ve got at least one important, sensitive online account that’s secured with a really bad password. Maybe you’ve really been meaning to change it, but for now it’s there, and hey—at least you can remember it and type it correctly every time. There might be a few readers to whom this doesn’t apply, but chances are pretty good that poor server-side security has led to at least one of your theoretically-strong passwords ending up in a batch of stolen data for sale on the dark web.

Passwords have been the most widely used method of logging in and verifying your identity since the earliest days of the internet, but they can’t keep up with the pace of technology—or fraud.

The best practices for data protection, enshrined in regulation in many parts of the world, call for strong customer authentication, which can't be accomplished with passwords alone.

New methods for verifying digital identities are needed, and Web Authentication is one solution that has been in development for a number of years. With major industry players poised to support it, Web Authentication could be poised for a breakthrough in adoption.

What Is Web Authentication?

Developed by the World Wide Web Consortium and the FIDO Alliance, Web Authentication—or WebAuthn for short—is an API specification that allows users to validate their identities by exchanging encrypted keys with their login server instead of entering a password.

Web Authentication is based on public-key cryptography. That means that when a user registers an account, they create an encrypted private key, which is safely stored on their device, and a public key, which can be shared with the web server. The encryption process means that these credentials form a unique matched pair. When the user tries to log in at a later time, the Web Authentication API will check to see if the keys match. If they do, the user can be authenticated.

With Web Authentication, there’s no password for the user to remember and no sensitive information to be stored server-side.

It doesn’t matter if fraudsters get their hands on the public key, or if it gets shared to the entire internet—it’s useless without the private key attached to the user’s device. Strong authentication requires at least two out of three factors: something the user knows, something the user possesses, or some quality inherent to the user.

Web Authentication securely fulfills the second factor and when combined with another (such as a PIN, which is something the user knows, or a biometric scan, which depends on their inherent qualities) it is nearly impossible for anyone but the actual user to validate their credentials.

Web Authentication needs to be supported by the user’s device or browser in order to work. Fortunately, companies like Google, Microsoft, Mozilla, and other industry heavyweights have contributed to the development of Web Authentication and plan to support it.

Why Should Merchants Consider Web Authentication?

Before changing anything that will impact their security profile and the customer experience, it is appropriate for merchants to carefully weigh the costs and benefits. Passwords are going to persist, and are likely to remain favored by the average user, for a long time yet, but there are some significant advantages to Web Authentication that merchants should be aware of.

The first is that Web Authentication—or any two-factor authentication protocol—is the best thing you can do to prevent account takeover fraud.

Learn How To Fight Them The Smart WayThis form of fraud is particularly dangerous because it can be used in ways that are far more harmful than making an unauthorized card purchase (for which, of course, the customer can demand a chargeback).

Account takeover fraud can be used to impersonate identities, gain access to other accounts, and transfer funds in ways that are not necessarily recoverable via chargeback. Merchants who store highly valuable or sensitive data for their customers should not be relying on passwords alone to provide security.

Web Authentication can also benefit merchants by reducing cart abandonment. Passwords (and their security questions) are easily forgotten, especially by users who are trying to follow best practices by creating long, intricate passwords. Filling up a shopping cart only to find that you can’t log into your account is frustrating, and can lead customers to give up and shop elsewhere.

With Web Authentication, there’s nothing for users to remember; the specification requires that the private key be attached to an authenticator device (which in most cases will be the user’s phone) that supplies the key automatically.

Conclusion

Merchants are often reluctant to adopt anti-fraud measures that might cause friction for their customers and scare them off. Fighting fraud is a necessary part of avoiding chargebacks and protecting your revenue, but there is always a balance that must be found.

By using encrypted public keys as the only form of stored login credentials—instead of username and password combinations that can be stolen or cracked by determined cybercriminals—Web Authentication could help usher in a paradigm shift in the way users log in to websites.

While change is hard and we will all miss our favorite terrible, easily-guessed passwords, nobody will take this development harder than the fraudsters, who are almost always powerless in the face of multi-factor authentication.

Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions, or requests for advice to: win@chargebackgurus.com
Get the guide, Chargebacks 101: Understanding Chargebacks & Their Root Causes

Similar Posts

Ready to Start Reducing Chargebacks?