Tracing the Evolving Levels of Support for WebAuthn

By Kathleen M. Moriarty, CIS Chief Technology Officer, with supporting research from Ben Carter, IoT Specialist at CIS

You've likely been hearing about the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) and wondering if you're ready to implement it in your environment. One of the reasons why it's gaining traction is because it not only helps deprecate passwords but also prevents credential theft. It does this by using public/private key pairs for multi-factor authentication (MFA), which prevents a cyber threat actor (CTA) from stealing or replaying credentials. And all while being simpler to implement than a full PKI solution. (An earlier blog covered the different types of MFA schemes and linked to an NSA evaluation of MFA solutions against the NIST Special Publication 800-63 Authentication Levels.)

WebAuthn is just one of the authentication protocols that fit into the FIDO Alliance framework enabling public/private key pair authentication across platforms and applications. The solution set evolved from Google’s Universal 2 Factor (U2F) that was first contributed to the FIDO Alliance for development and then to W3C, where WebAuthn emerged. The FIDO Alliance also developed a related authentication protocol, the Client to Authenticator Protocol (CTAP), to support non-web applications.

For authentication protocols in the FIDO Alliance Framework, each user and application combination has a unique public/private key pair where mutual authentication is performed using these keys to digitally sign challenges. Since the signed challenges pass on the wire, credentials cannot be replayed or easily captured. (You might be hearing more about secure passwordless authentication these days. Passwordless authentication is possible because of the proliferation of these standards.)

In a memo dated January 26, 2022, the Office of Management and Budget specifically called out W3C’s WebAuthn along with public key infrastructure (PKI) as one of the acceptable authentication methods for the federal government to implement by the end of fiscal year 2024 because of its phishing-resistant properties. The memo requires a zero-trust approach where MFA is required at the application layer instead of the network layer. This is a change in guidance from the model before adoption of zero-trust, with remote access or administrator-level access being more common as a sole requirement for MFA. The requirement provides incentives for vendors who have not yet integrated the standard to do so now. As a result, many applications, existing Identity and Access Management (IAM) frameworks, directory services (e.g. LDAP, ActiveDirectory), credential providers (CP), and identity providers (IDP) support WebAuthn or are planning to support the appropriate protocol in the FIDO Framework.

Determining Support for Your Environment

There are many levels of support for emerging protocols, including fully certified solutions that are listed on the FIDO Alliance Certified Products web page. W3C also promotes support of WebAuthn in products, as it works closely with client vendors to ensure wide support in web browsers, devices, and client operating systems. Some point products have support integrated at some level, but the applications aren't certified. Additionally, in many cases, a credential provider may provide support or integration through a directory service such as LDAP or ActiveDirectory. If your organization’s applications are not listed directly in one of these lists, developers and administrators should look to the following resources to determine if it is possible to close the gap for their environment:

There are a large number of products that support WebAuthn and other standards in the FIDO Framework. W3C worked diligently with browser vendors and other client application vendors to ensure that access using these standards would be possible from most devices and systems. The data provided by the FIDO Alliance and W3C on support are regularly updated; however, it is not necessarily connected in a way that is easy for organizations to determine if all the products they care about most in their environments have support.

As such, the Center for Internet Security (CIS) conducted market research to determine if we could bridge that gap minimally as a point-in-time snapshot to determine readiness for implementation. Support is grouped in categories that may help to determine if clients, applications, and devices have the support needed to move to WebAuthn and the FIDO Framework.

Identity and Credential Provider Support

Identity providers (IdP) create, store, and manage digital identities. Credential providers manage authentication credentials that can be assigned to an identity. While many organizations manage their own credentials, some can outsource these efforts to ease management. (This may be more common for some types of multi-factor authentication protocols.) In some cases, an IdP is also a credential provider. Many organizations already use a credential provider where support for newer authentication protocols such as WebAuthn is available. Additionally, several One-Time Password (OTP) solution providers have expanded to become credential providers by supporting additional authentication protocols such as WebAuthn.

The dropdown below is a table listing the credential providers discovered in our research that support WebAuthn.

Identity & Credential Providers

Company/Solution

MFA Factor Type

WebAuthn Support

Auth0

Push notifications, SMS, Voice, One-Time Passwords, WebAuthn with security keys and device biometrics, Email

Yes

CyberArk

QR Code, Push notification, PINs, Authenticator App, OTP, Phone Call, SMS, Email, Hardware Token, Biometric

Yes

Duo

Duo Push, WebAuthn, Biometrics, Tokens, Passcodes

Yes

Google Cloud

Hardware security keys, phone as a security key, mobile device push notifications, SMS, and voice calls

Yes

IBM Security Verify

SMS/Email/Voice Callback OTP, TOTP, IMB Verify App (user presence and biometric), FIDO authenticator

Yes

LoginTC

Passwords, four-digit personal identification numbers, OTPs, hardware token, security key, key fob, SIM Card, Biometric

Yes

Microsoft Azure AD

Microsoft Authenticator app, Windows Hello for Business, FIDO2 security key, OATH hardware token, OATH software token, SMS, Voice Call

Yes

MiniOrange

SMS, Phone Callback, Multi-Factor Authenticator Apps, miniOrange Authenticator, Email, Hardware Token, Security Questions

Yes

Okta

Passwords, Security Questions, SMS/Voice/Email, Verification, Yubikey OTP, WeAuthn

Yes

OneLogin

OTP app, email, SMS, voice, WebAuthn for biometric factors, third-party options

Yes

PingID/PingFederate

Mobile push, email OTP, SMS OTP, TOTP authenticator apps, QR codes, magic links, FIDO2-bound biometrics, security keys

Yes

RSA SecurID Access

Push-to-approve, one-time passcodes, biometrics, FIDO-based authentication

Yes

SailPoint

Mobile push, email OTP, SMS OTP, authenticator app,biometrics, security keys and tokens

No, needs to be paired with another solution

VPN and VDI WebAuthn Support

Before zero trust was prominent, MFA was minimally required for remote access and administrator functions. As such, assessing support on these devices is likely a first step for your organization. One way to determine if support is possible is to look at the methods used for managing authentication of end users.

The following services or protocols are used as ways to support many types of authentication and allow for an indirect method to support WebAuthn:

  • If ActiveDirectory, LDAP, or Radius is listed as supported, it may be possible to configure your virtual private network (VPN) to require WebAuthn as the MFA protocol.
  • If a credential provider is used in combination with a particular application, service, or remote infrastructure login and the credential provider supports WebAuthn, that could also be indicative of support.
  • If a particular product works with a credential provider and that credential provider supports WebAuthn, the VPN product may indirectly support WebAuthn via this service.
  • CIS confirmed with VMware that virtual desktop interface (VDI) support exists for browser-based access and that client-based access is a work-in-progress. This confirmation followed from the direct request from a member.

CIS research has confirmed support for WebAuthn in the following market leader products for VPN and VDI:

Top VPN Providers (Gartner Source for Product List)

Company

Product Name

WebAuthn or PKI Certificate Authentication Support

AccelPro

AccelPro Secure Access

PKI certificate authentication, Additional methods possible

Apple

IKEv2

Supported directly

Array Networks

AG series, vxAG SSL VPN

Supported through identity providers and SSO

Aryaka

SmartACCESS, Private Access

No, device-based authentication

AT&T

VPN Gateway

Possible through identity provider

Awingu

Awingu

Supported through multiple identity and credential providers

Blockbit

Blockbit Network Security

Unknown

Certes Networks

CryptoFlow

Unknown

Cisco

AnyConnect

Supported through multiple identity and credential providers

Citrix

Citrix Gateway

Supported through multiple identity and credential providers

Cloud Point Software

Check Point Capsule

PKI certificate authentication and WebAuthn possible through MFA credential providers

Cradlepoint

Cloud Network Engine Platform

Unknown

Dell Technologies

Firewall SSL VPN

Supported through multiple identity and credential providers

F5

Big-IP TLS VPNs

Supported through identity providers and SSO

Fortinet

FortiClient

Supports RADIUS

Google

Cloud VPN

Supported directly and through identity providers

Hillstone Networks

Hillstone Networks IPsec VPNs

Supports Xauth

HPE (Aruba)

Virtual Intranet Access (VIA) VPN

PKI certificate authentication and WebAuthn possible through MFA credential providers

Ivanti

Ivanti Sentry

No, device-based authentication

Microsoft

DirectAccess-IPsec VPN, Web Application Proxy-TLS Gateway

MFA via Azure AD

Oracle

Oracle Mobile Platform

MFA supported through Oracle Mobile Authenticator and Google Authenticator

Palo Alto Networks

Global Protect

Supported through multiple identity and credential providers

Pulse Secure

Mobile VPN

PKI certificate authentication and WebAuthn possible through MFA credential providers

Sangfor Technologies

Sangfor SSL VPN

Unknown

SonicWall

SonicWall Global VPN Client, SonicWall Secure Mobile Access

Supported through multiple identity and credential providers

Watchguard

Mobile VPN with SSL, IPsec VPN Client, Basic VPN Client

No, WebAuthn listed

Zero Trust Network Access (ZTNA) Products

Zero-trust network access (ZTNA) products provide dedicated and secure access to individual applications supporting zero-trust principles, including strong multi-factor authentication and dynamic authentication. Ideally, ZTNA products would also cover the full set of tenets for zero-trust; however, for this blog and research, the focus is on MFA.

ZTNA market leaders are included below along with an indication of their support for WebAuthn as an MFA method. If a product is highlighted in green, verification of support is possible and clear from the vendor or through a certification process result. Gartner assessed ZTNA market penetration in June 2022 at 5-20%, with an expected year-over-year growth rate of 60%. VPNs may be more prevalent today, but this should change with zero-trust adoption initiatives underway.

Zero Trust Network Access Products

Company

Product Name

WebAuthn or PKI Certificate Authentication Support

Absolute Software (NetMotion)

NetMotion ZTNA

PKI certificate authentication, additional methods possible

Akamai

Enterprise Application Access

WebAuthn and other MFA methods supported

Appgate

Appgate SDP

No WebAuthn; OTP, Biometrics, and Push available

Axis

Axis Platform

No WebAuthn listed or certification

Banyan Security

Zero Trust Remote Access

PKI certificate authentication and WebAuthn possible through MFA credential providers

Bitglass

Zero Trust Network Access

PKI certificate authentication and WebAuthn possible through MFA credential providers

BlackRidge

Transport Access Control

Device and IoT Access Products

Broadcom

Symantec Secure Access Cloud

May be possible via credential provider, SAML supported for SSO

Cato

Cato Secure Remote Access

May be possible through edentity and credential provider, SSO supported

Check Point Software Technologies

Harmony Connect

Supported through identity and credential provider

Cisco

Duo Beyond

Supported through identity and credential provider

Citrix

Secure Private Access

Supported through identity and credential provider

Cloudaemon (China)

Taiji Perimeter

Unknown

CloudDeep Technology(China only)

Deep Cloud SDP

Unknown

Cloudflare

Cloudflare Access

Available through select identity providers

Cognitas Technologies

Crosslink

Supported through identity provider

Cyolo

Zero Trust Network Access (ZTNA) 2.0

Supported through identity provider

Deloitte (Transientx)

TransientAccess

May be possible through identity provider

Forcepoint

Private Access

Supported through identity provider

Google

BeyondCorp Remote Access

Supported directly and through identity providers

Google Cloud Platform Identity-Aware Proxy

Supported directly and through identity providers

InstaSafe

Zero Trust Remote Access

Supported through identity providers and SSO

Ivanti

Ivanti Neurons for Secure Access

No, device-based authentication

Jamf

Jamf Private Access

Supported through identity provider

McAfee

MVISION Private Access

Supported through identity provider

Microsoft

Azure AD Application Proxy

Supported through Azure AD identity management

Web Application Proxy for Windows Server

Supported directly

NetFoundry

Zero Trust Networking Platform

No Webuthn or PKI Support, MFA via Google Authenticator

Netskope

Netskope Private Access

Supported through identity providers and SSO SAML

Okta

Okta Identity Cloud

Supported through identity provider (Okta is also an IdP.)

Palo Alto Networks

Prisma Access

Supported through credential providers

Perimeter 81

Zero Trust Network Access

Supported through identity providers

Safe-T

Zone Zero

Supports RADIUS and Open Authentication (OATH)

SAIFE

Continuum

Supported through identity providers

Systancia

Systancia Gate

Supported directly (PAM product)

Trusfort

Zero-Trust Business Security

Unknown

Twingate

Twingate

Supported through identity provider

Unisys

Stealth

No, other MFA protocols supported

Verizon

Verizon Software Defined Perimeter (SDP)

No, other MFA and passwordless solutions supported

Versa

Versa Secure Access

MFA supported through ActiveDirectory, LDAP, or RADIUS

Waverley Labs

Open Source Software Defined Perimeter

Unknown

Zentera Systems

Secure Access ZTNA

Supported through identity provider

Zero Networks

Access Orchestrator

No, Access Orchestrator provides asset-focused MFA

Zscaler

Private Access

Supported through identity provider

Source for Vendors in ZTNA Chart

Operating System and Desktop Client Support

Operating system support is included and mapped against the market adoption for client systems.

Operating System and Desktop Client Support

Operating System

FIDO2/WebAuthn Support

Browser

Platform Authenticators

Roaming Authenticators (Yubikeys, Titan Keys, etc.)

Android 7+

Yes

Chrome

Yes

Yes

Safari

N/A

N/A

Firefox

No

No

Brave

No

No

Edge

No

No

Windows 10+

Yes

Chrome

Yes

Yes

Safari

N/A

N/A

Firefox

Yes

Yes

Brave

Yes

Yes

Edge

Yes

Yes

macOS

Yes

Chrome

Yes

Yes

Safari

Yes

Yes

Firefox

No

Yes

Brave

Yes

Yes

Edge

Yes

Yes

iOS

Yes

Chrome

Yes

Yes

Safari

Yes

Yes

Firefox

Yes

Yes

Brave

Yes

Yes

Edge

Yes

No

Linux

Partial Support

Chrome

\

Yes

Safari

N/A

N/A

Firefox

\

Yes

Brave

\

Yes

Edge

\

Yes

Web Browser and Device Support

The following clients support WebAuthn, providing broad coverage to enable access to applications and services.

The following devices support WebAuthn and/or CTAP.

Web Browser and Device Support

Destop Browser

Version(s)

WebAuthn Support

Chrome

Versions 67 - 109

Yes

Edge

Versions 18 - 106

Yes

Safari

Versions 13 - 16.2

Yes

Firefox

Versions 60 - 108

Partial support

Opera

Versions 54 - 92

Yes

Brave

Version 1.45.113

Yes

Mobile Browser

Version(s)

WebAuthn Support

Chrome for Android

Version 106

Yes

Safari on iOS*

Version 13.3 - 14.4
Versions 14.5 - 16.1

Partial support, yes

Samsung Internet

17.0 - 18.0

Yes

Opera Mini*

all

No

Opera Mobile*

Version 64

Yes

UC Browser for Android

Version 13.4

Yes

Android Browser*

Version 106

Yes

Firefox for Android

Version 105

Partial support

QQ Browser

Version 13.1

Yes

Baidu Browser

Version 13.18

Yes

KaiOS Browser

Version 2.5

Yes

Application Support

The list of web-based applications supporting WebAuthn and FIDO can be found in this certified product list from the FIDO Alliance. Additional applications may support these protocols, or it may be possible to integrate applications for support through existing infrastructure as discussed earlier in the blog.

Several token providers offer lists of applications that also support protocols in the FIDO Framework. As such, the links are provided to aid research on application support of WebAuthn, CTAP, and FIDO protocols.

Hideez list of supported applications.

Yubico Applications Supported and Service Integration

CIS researched several cloud-based or hosted application services to determine the level of support for WebAuthn and PKI certificate-based authentication. It maintains the list in the table below.

Cloud-based Services

Company

Product Name

WebAuthn or PKI Certificate Authentication Support

ADP

ADP

Supported through identity providers and SSO SAML

Amazon Web Services

AWS

Supported directly

Apache

Cloud Stack

Credential and identity providers through OpenID Connect

Asana

Asana

Yes, through OpenID Connect

Atlassian

Jira

Supported directly

Confluence

Bitbucket

Trello

Basecamp

Basecamp

Supported directly

BlueJeans

BlueJeans

Supported through identity providers and SSO SAML

Concur

Concur

Supported through identity providers and SSO SAML

Dropbox

Dropbox

Supported directly

Expensify

Expensify

Supported through identity providers and SSO SAML

Meta

Facebook

Supported though identity providers and SSO

GitHub

GitHub

Supported directly

Google

Google Meet

Supported directly and through identity providers

Google Cloud Platform

Google Analytics

Google Drive

Hootsuite

Hootsuite

Supported through identity providers and SSO SAML

HubSpot

HubSpot

No WebAuthn or PKI support, MFA through multiple authentication apps

IBM

Compose

Supported directly

IBM Cloud

LinkedIn

LinkedIn

Supported though identity providers and SSO

Microsoft

Microsoft Teams

Supported through Azure Active Directory

Microsoft Azure

Supported through Azure Active Directory

Office 365

Supported directly

OnApp

OnApp

Supported through identity providers and SSO SAML

Salesforce

Salesforce

Supported directly

Salesmate

Salesmate

Supported through identity providers and SSO SAML

SAP

SAP

Supported through identity providers and SSO SAML

Sentry

Sentry

Supported directly

ServiceNow

Enterprise CX

Supported through identity providers and SSO SAML

Shopify

Shopify

Supported through identity provider

Slack

Slack

No WebAuthn or PKI support, MFA through multiple authentication apps

Square

Square

WebAuthn supported through 3-D Secure

Twitter

Twitter

Supported directly

Voluum

Voluum

No WebAuthn or PKI support, MFA through multiple authentication apps

Webex

Webex

No WebAuthn or PKI support, MFA through multiple authentication apps

Zoom

Zoom

No WebAuthn or PKI support, MFA through multiple authentication apps

Expanding Support for WebAuthn

As you'll see from the research above, support is quite prominent for WebAuthn and related protocols in the FIDO Alliance Framework. If you are considering MFA for the first time or revising your solution set, it is a technology that will be worth the investment in terms of the protection offered and where it is on the path to adoption. WebAuthn has strong support as buyers increasingly request the protocol due to the strength of the solution and the projected longevity from sources such as the U.S. federal government and CISA.

We'll update our market research as the solution space evolves. In the meantime, if you see something that warrants a correction, you can get in touch with us below.


Additional information on multi-factor authentication and authorization technologies can be found in the following resources: