Evolution of Web Authentication: From Passwords to WebAuthn

Traditional Authentication Methods

The classic approach involves a user filling out a registration form with a username and password, which the backend encrypts and stores in a database; login then compares the submitted credentials against the stored hash.

Common Issues

Passwords can be intercepted in insecure environments.

Credentials may be hijacked during transmission.

Database breaches expose large numbers of passwords.

Users often reuse a single password across many services, creating a single point of failure.

Third‑Party Login Methods

Many sites now support third‑party authentication, reducing reliance on passwords. Two main protocols are used:

OpenID (Open Authentication)

OpenID is a decentralized identity system that lets users log in using an identity provider (e.g., Google). The site receives a unique identifier without needing to handle passwords.

Advantages

Low entry barrier; no registration flow needed.

Users avoid entering passwords, reducing client‑side risk.

Disadvantages

Reliance on the provider’s security; a breach affects all dependent sites.

Service instability of the provider can disrupt login.

Potential loss of direct relationship with the user.

OAuth2.0 (Open Authorization)

OAuth authorizes third‑party applications to access user resources without exposing credentials. Unlike OpenID (authentication), OAuth focuses on delegated access.

Advantages

Same usability benefits as OpenID.

Fine‑grained permission scopes allow varying trust levels.

Disadvantages

Same provider‑dependency risks as OpenID.

Potential security hazards if a site misuses granted permissions.

Two‑Factor Authentication (2FA)

2FA adds a second verification factor beyond username/password, such as SMS codes, authenticator‑app TOTP, or login confirmations using public‑key cryptography.

Common Methods

SMS verification – a one‑time code sent to a mobile device.

Authenticator apps – generate a 6‑digit code every 30 seconds based on a shared secret.

Login confirmation – a push notification or cryptographic challenge that requires user approval.

Pros and Cons

Pros: Higher security by requiring two independent factors.

Cons: Adds friction to the login flow; does not guarantee absolute safety; recovery can be cumbersome if a factor is lost.

Future of Web Authentication: WebAuthn

WebAuthn, a W3C standard backed by the FIDO2 project, enables password‑less login using device‑based authenticators such as fingerprint, facial, iris, voice, or hardware security keys (USB, Bluetooth, NFC).

Experience

Users can try WebAuthn via demo sites (e.g., https://demo.yubico.com/webauthn-technical/registration ) with supported hardware like YubiKey 5 NFC, Touch Bar‑enabled MacBooks, iPhones, or Android devices with Google Play Services.

Advantages

High security without passwords.

Simplified login using built‑in biometrics or hardware keys, facilitating broader adoption.

Disadvantages

Limited support in many domestic websites; the ecosystem is still maturing.

Learning Resources

PPT: https://ppt.baomitu.com/d/129a784a

Demo source: https://github.com/hanyonggang/WebAuthnDemo

Official W3C and MDN documentation for detailed usage.

Conclusion

WebAuthn offers a highly secure and user‑friendly password‑less experience and is expected to become the mainstream web authentication method in the near future.