Tracing the Evolving Levels of Support for WebAuthn
By Kathleen M. Moriarty, CIS Chief Technology Officer, with supporting research from Ben Carter, IoT Specialist at CIS
You've likely been hearing about the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) and wondering if you're ready to implement it in your environment. One of the reasons why it's gaining traction is because it not only helps deprecate passwords but also prevents credential theft. It does this by using public/private key pairs for multi-factor authentication (MFA), which prevents a cyber threat actor (CTA) from stealing or replaying credentials. And all while being simpler to implement than a full PKI solution. (An earlier blog covered the different types of MFA schemes and linked to an NSA evaluation of MFA solutions against the NIST Special Publication 800-63 Authentication Levels.)
WebAuthn is just one of the authentication protocols that fit into the FIDO Alliance framework enabling public/private key pair authentication across platforms and applications. The solution set evolved from Google’s Universal 2 Factor (U2F) that was first contributed to the FIDO Alliance for development and then to W3C, where WebAuthn emerged. The FIDO Alliance also developed a related authentication protocol, the Client to Authenticator Protocol (CTAP), to support non-web applications.
For authentication protocols in the FIDO Alliance Framework, each user and application combination has a unique public/private key pair where mutual authentication is performed using these keys to digitally sign challenges. Since the signed challenges pass on the wire, credentials cannot be replayed or easily captured. (You might be hearing more about secure passwordless authentication these days. Passwordless authentication is possible because of the proliferation of these standards.)
In a memo dated January 26, 2022, the Office of Management and Budget specifically called out W3C’s WebAuthn along with public key infrastructure (PKI) as one of the acceptable authentication methods for the federal government to implement by the end of fiscal year 2024 because of its phishing-resistant properties. The memo requires a zero-trust approach where MFA is required at the application layer instead of the network layer. This is a change in guidance from the model before adoption of zero-trust, with remote access or administrator-level access being more common as a sole requirement for MFA. The requirement provides incentives for vendors who have not yet integrated the standard to do so now. As a result, many applications, existing Identity and Access Management (IAM) frameworks, directory services (e.g. LDAP, ActiveDirectory), credential providers (CP), and identity providers (IDP) support WebAuthn or are planning to support the appropriate protocol in the FIDO Framework.
Determining Support for Your Environment
There are many levels of support for emerging protocols, including fully certified solutions that are listed on the FIDO Alliance Certified Products web page. W3C also promotes support of WebAuthn in products, as it works closely with client vendors to ensure wide support in web browsers, devices, and client operating systems. Some point products have support integrated at some level, but the applications aren't certified. Additionally, in many cases, a credential provider may provide support or integration through a directory service such as LDAP or ActiveDirectory. If your organization’s applications are not listed directly in one of these lists, developers and administrators should look to the following resources to determine if it is possible to close the gap for their environment:
- FIDO2: Web Authentication (WebAuthn)
- FIDO Alliance: Getting Started for Developers
- FIDO Alliance: Learn More About FIDO Authentication
- W3C Web Authentication Standard
- Overview Video of WebAuthn
There are a large number of products that support WebAuthn and other standards in the FIDO Framework. W3C worked diligently with browser vendors and other client application vendors to ensure that access using these standards would be possible from most devices and systems. The data provided by the FIDO Alliance and W3C on support are regularly updated; however, it is not necessarily connected in a way that is easy for organizations to determine if all the products they care about most in their environments have support.
As such, the Center for Internet Security (CIS) conducted market research to determine if we could bridge that gap minimally as a point-in-time snapshot to determine readiness for implementation. Support is grouped in categories that may help to determine if clients, applications, and devices have the support needed to move to WebAuthn and the FIDO Framework.
Identity and Credential Provider Support
Identity providers (IdP) create, store, and manage digital identities. Credential providers manage authentication credentials that can be assigned to an identity. While many organizations manage their own credentials, some can outsource these efforts to ease management. (This may be more common for some types of multi-factor authentication protocols.) In some cases, an IdP is also a credential provider. Many organizations already use a credential provider where support for newer authentication protocols such as WebAuthn is available. Additionally, several One-Time Password (OTP) solution providers have expanded to become credential providers by supporting additional authentication protocols such as WebAuthn.
The dropdown below is a table listing the credential providers discovered in our research that support WebAuthn.
|
Identity & Credential Providers |
||
|
Company/Solution |
MFA Factor Type |
WebAuthn Support |
|
Auth0 |
Push notifications, SMS, Voice, One-Time Passwords, WebAuthn with security keys and device biometrics, Email |
|
|
CyberArk |
QR Code, Push notification, PINs, Authenticator App, OTP, Phone Call, SMS, Email, Hardware Token, Biometric |
|
|
Duo |
Duo Push, WebAuthn, Biometrics, Tokens, Passcodes |
|
|
Google Cloud |
Hardware security keys, phone as a security key, mobile device push notifications, SMS, and voice calls |
|
|
IBM Security Verify |
SMS/Email/Voice Callback OTP, TOTP, IMB Verify App (user presence and biometric), FIDO authenticator |
|
|
LoginTC |
Passwords, four-digit personal identification numbers, OTPs, hardware token, security key, key fob, SIM Card, Biometric |
|
|
Microsoft Azure AD |
Microsoft Authenticator app, Windows Hello for Business, FIDO2 security key, OATH hardware token, OATH software token, SMS, Voice Call |
|
|
MiniOrange |
SMS, Phone Callback, Multi-Factor Authenticator Apps, miniOrange Authenticator, Email, Hardware Token, Security Questions |
|
|
Okta |
Passwords, Security Questions, SMS/Voice/Email, Verification, FIDO Certified Hardware, WeAuthn |
|
|
OneLogin |
OTP app, email, SMS, voice, WebAuthn for biometric factors, third-party options |
|
|
PingID/PingFederate |
Mobile push, email OTP, SMS OTP, TOTP authenticator apps, QR codes, magic links, FIDO2-bound biometrics, security keys |
|
|
RSA SecurID Access |
Push-to-approve, one-time passcodes, biometrics, FIDO-based authentication |
|
|
SailPoint |
Mobile push, email OTP, SMS OTP, authenticator app,biometrics, security keys and tokens |
|
VPN and VDI WebAuthn Support
Before zero trust was prominent, MFA was minimally required for remote access and administrator functions. As such, assessing support on these devices is likely a first step for your organization. One way to determine if support is possible is to look at the methods used for managing authentication of end users.
The following services or protocols are used as ways to support many types of authentication and allow for an indirect method to support WebAuthn:
- If ActiveDirectory, LDAP, or Radius is listed as supported, it may be possible to configure your virtual private network (VPN) to require WebAuthn as the MFA protocol.
- If a credential provider is used in combination with a particular application, service, or remote infrastructure login and the credential provider supports WebAuthn, that could also be indicative of support.
- If a particular product works with a credential provider and that credential provider supports WebAuthn, the VPN product may indirectly support WebAuthn via this service.
- CIS confirmed with VMware that virtual desktop interface (VDI) support exists for browser-based access and that client-based access is a work-in-progress. This confirmation followed from the direct request from a member.
CIS research has confirmed support for WebAuthn in the following market leader products for VPN and VDI:
|
Company |
Product Name |
WebAuthn or PKI Certificate Authentication Support |
|
AccelPro Secure Access |
||
|
IKEv2 |
||
|
AG series, vxAG SSL VPN |
||
|
SmartACCESS, Private Access |
||
|
VPN Gateway |
||
|
Awingu |
Supported through multiple identity and credential providers |
|
|
Blockbit Network Security |
Unknown |
|
|
CryptoFlow |
Unknown |
|
|
AnyConnect |
Supported through multiple identity and credential providers |
|
|
Citrix Gateway |
Supported through multiple identity and credential providers |
|
|
Check Point Capsule |
PKI certificate authentication and WebAuthn possible through MFA credential providers |
|
|
Cloud Network Engine Platform |
Unknown |
|
|
Firewall SSL VPN |
Supported through multiple identity and credential providers |
|
|
Big-IP TLS VPNs |
||
|
FortiClient |
||
|
Cloud VPN |
||
|
Hillstone Networks IPsec VPNs |
||
|
Virtual Intranet Access (VIA) VPN |
PKI certificate authentication and WebAuthn possible through MFA credential providers |
|
|
Ivanti Sentry |
||
|
DirectAccess-IPsec VPN, Web Application Proxy-TLS Gateway |
||
|
Oracle Mobile Platform |
MFA supported through Oracle Mobile Authenticator and Google Authenticator |
|
|
Global Protect |
Supported through multiple identity and credential providers |
|
|
Mobile VPN |
PKI certificate authentication and WebAuthn possible through MFA credential providers |
|
|
Sangfor SSL VPN |
Unknown |
|
|
SonicWall Global VPN Client, SonicWall Secure Mobile Access |
Supported through multiple identity and credential providers |
|
|
Mobile VPN with SSL, IPsec VPN Client, Basic VPN Client |
||
Zero Trust Network Access (ZTNA) Products
Zero-trust network access (ZTNA) products provide dedicated and secure access to individual applications supporting zero-trust principles, including strong multi-factor authentication and dynamic authentication. Ideally, ZTNA products would also cover the full set of tenets for zero-trust; however, for this blog and research, the focus is on MFA.
ZTNA market leaders are included below along with an indication of their support for WebAuthn as an MFA method. If a product is highlighted in green, verification of support is possible and clear from the vendor or through a certification process result. Gartner assessed ZTNA market penetration in June 2022 at 5-20%, with an expected year-over-year growth rate of 60%. VPNs may be more prevalent today, but this should change with zero-trust adoption initiatives underway.
|
Zero Trust Network Access Products |
||
|
Company |
Product Name |
WebAuthn or PKI Certificate Authentication Support |
|
NetMotion ZTNA |
||
|
Enterprise Application Access |
||
|
Appgate SDP |
||
|
Axis Platform |
||
|
Zero Trust Remote Access |
PKI certificate authentication and WebAuthn possible through MFA credential providers |
|
|
Zero Trust Network Access |
PKI certificate authentication and WebAuthn possible through MFA credential providers |
|
|
Transport Access Control |
Device and IoT Access Products |
|
|
Symantec Secure Access Cloud |
May be possible via credential provider, SAML supported for SSO |
|
|
Cato Secure Remote Access |
May be possible through edentity and credential provider, SSO supported |
|
|
Harmony Connect |
||
|
Duo Beyond |
||
|
Secure Private Access |
||
|
Taiji Perimeter |
Unknown |
|
|
Deep Cloud SDP |
Unknown |
|
|
Cloudflare Access |
||
|
Crosslink |
||
|
Zero Trust Network Access (ZTNA) 2.0 |
||
|
TransientAccess |
||
|
Private Access |
||
|
BeyondCorp Remote Access |
||
|
Google Cloud Platform Identity-Aware Proxy |
||
|
Zero Trust Remote Access |
||
|
Ivanti Neurons for Secure Access |
||
|
Jamf Private Access |
||
|
MVISION Private Access |
||
|
Azure AD Application Proxy |
||
|
Web Application Proxy for Windows Server |
||
|
Zero Trust Networking Platform |
||
|
Netskope Private Access |
||
|
Okta Identity Cloud |
||
|
Prisma Access |
||
|
Zero Trust Network Access |
||
|
Zone Zero |
||
|
Continuum |
||
|
Systancia Gate |
||
|
Zero-Trust Business Security |
Unknown |
|
|
Twingate |
||
|
Stealth |
||
|
Verizon Software Defined Perimeter (SDP) |
||
|
Versa Secure Access |
||
|
Open Source Software Defined Perimeter |
Unknown |
|
|
Secure Access ZTNA |
||
|
Access Orchestrator |
||
|
Private Access |
||
Source for Vendors in ZTNA Chart
Operating System and Desktop Client Support
Operating system support is included and mapped against the market adoption for client systems.
|
Operating System |
FIDO2/WebAuthn Support |
Browser |
Platform Authenticators |
Roaming Authenticators (FIDO Certified Hardware, Titan Keys, etc.) |
|
Android 7+ |
Chrome |
Yes |
Yes |
|
|
Safari |
N/A |
N/A |
||
|
Firefox |
No |
No |
||
|
Brave |
No |
No |
||
|
Edge |
No |
No |
||
|
Windows 10+ |
Chrome |
Yes |
Yes |
|
|
Safari |
N/A |
N/A |
||
|
Firefox |
Yes |
Yes |
||
|
Brave |
Yes |
Yes |
||
|
Edge |
Yes |
Yes |
||
|
macOS |
Chrome |
Yes |
Yes |
|
|
Safari |
Yes |
Yes |
||
|
Firefox |
No |
Yes |
||
|
Brave |
Yes |
Yes |
||
|
Edge |
Yes |
Yes |
||
|
iOS |
Chrome |
Yes |
Yes |
|
|
Safari |
Yes |
Yes |
||
|
Firefox |
Yes |
Yes |
||
|
Brave |
Yes |
Yes |
||
|
Edge |
Yes |
No |
||
|
Linux |
Chrome |
\ |
Yes |
|
|
Safari |
N/A |
N/A |
||
|
Firefox |
\ |
Yes |
||
|
Brave |
\ |
Yes |
||
|
Edge |
\ |
Yes |
||
Web Browser and Device Support
The following clients support WebAuthn, providing broad coverage to enable access to applications and services.
The following devices support WebAuthn and/or CTAP.
|
Destop Browser |
Version(s) |
WebAuthn Support |
|
Chrome |
Versions 67 - 109 |
|
|
Edge |
Versions 18 - 106 |
|
|
Safari |
Versions 13 - 16.2 |
|
|
Firefox |
Versions 60 - 108 |
|
|
Opera |
Versions 54 - 92 |
|
|
Brave |
Version 1.45.113 |
|
|
Mobile Browser |
Version(s) |
WebAuthn Support |
|
Chrome for Android |
Version 106 |
|
|
Safari on iOS* |
Version 13.3 - 14.4 |
|
|
Samsung Internet |
17.0 - 18.0 |
|
|
Opera Mini* |
all |
|
|
Opera Mobile* |
Version 64 |
|
|
UC Browser for Android |
Version 13.4 |
|
|
Android Browser* |
Version 106 |
|
|
Firefox for Android |
Version 105 |
|
|
QQ Browser |
Version 13.1 |
|
|
Baidu Browser |
Version 13.18 |
|
|
KaiOS Browser |
Version 2.5 |
|
Application Support
The list of web-based applications supporting WebAuthn and FIDO can be found in this certified product list from the FIDO Alliance. Additional applications may support these protocols, or it may be possible to integrate applications for support through existing infrastructure as discussed earlier in the blog.
Several token providers offer lists of applications that also support protocols in the FIDO Framework. As such, the links are provided to aid research on application support of WebAuthn, CTAP, and FIDO protocols.
Hideez list of supported applications.
Yubico list of Application and Services supporting FIDO Certified Hardware Tokens
CIS researched several cloud-based or hosted application services to determine the level of support for WebAuthn and PKI certificate-based authentication. It maintains the list in the table below.
|
Cloud-based Services |
||
|
Company |
Product Name |
WebAuthn or PKI Certificate Authentication Support |
|
ADP |
||
|
AWS |
||
|
Cloud Stack |
||
|
Asana |
||
|
Jira |
||
|
Confluence |
||
|
Bitbucket |
||
|
Trello |
||
|
Basecamp |
||
|
BlueJeans |
||
|
Concur |
||
|
Dropbox |
||
|
Expensify |
||
|
GitHub |
||
|
Google Meet |
||
|
Google Cloud Platform |
||
|
Google Analytics |
||
|
Google Drive |
||
|
Hootsuite |
||
|
HubSpot |
No WebAuthn or PKI support, MFA through multiple authentication apps |
|
|
IBM Cloud |
||
|
|
|
|
|
Microsoft Teams |
||
|
Microsoft Azure |
||
|
OnApp |
||
|
Salesforce |
||
|
Salesmate |
||
|
SAP |
SAP |
|
|
Sentry |
||
|
Enterprise CX |
||
|
Shopify |
||
|
Slack |
No WebAuthn or PKI support, MFA through multiple authentication apps |
|
|
Square |
||
|
|
||
|
Voluum |
Voluum |
No WebAuthn or PKI support, MFA through multiple authentication apps |
|
Webex |
No WebAuthn or PKI support, MFA through multiple authentication apps |
|
|
Zoom |
No WebAuthn or PKI support, MFA through multiple authentication apps |
|
Expanding Support for WebAuthn
As you'll see from the research above, support is quite prominent for WebAuthn and related protocols in the FIDO Alliance Framework. If you are considering MFA for the first time or revising your solution set, it is a technology that will be worth the investment in terms of the protection offered and where it is on the path to adoption. WebAuthn has strong support as buyers increasingly request the protocol due to the strength of the solution and the projected longevity from sources such as the U.S. federal government and CISA.
We'll update our market research as the solution space evolves. In the meantime, if you see something that warrants a correction, you can get in touch with us below.
Additional information on multi-factor authentication and authorization technologies can be found in the following resources:
- Why Are Authentication and Authorization So Difficult?
- Authentication and Authorization Using Single Sign-On
- Why OAuth Is So Important: An Interview with Justin Richer
- CISA Datasheet: Implementing Phishing-Resistant MFA
- CISA: Multi-Factor Authentication Overview
