In our everlasting quest to strengthen security around the Kentik Platform, we're happy to introduce WebAuthN today – a growing web browser native Web Authentication standard with many benefits over prior ones.
Until today, we offered Multi-Factor Authentication (MFA) to our users via these 2-Factor (2FA) methods: Time-based One-Time Password (TOTP, also known as Authenticator App-based Tokens) and hardware keys such as YubiKeys from the FIDO Alliance.
While these methods offer a better security level than plain user/password authentication and we strongly encourage our users to adopt 2FA, the standards have evolved to new, more secure methods that we are now proud to offer to our user base.

Let's see what this is all about!

---

Authentication security concepts

Let’s take a look at modern improvements recently achieved in the domain of Web Authentication.

"Something you are"

In authentication, there are three categories of credentials (or factors) used to verify a user's identity. They are: something you know (like a password), something you have (such as a security token), and something you are (like a fingerprint). Using a combination of two or more of these factors is known as multi-factor authentication (MFA). 

Modern Authentication favors something you are with the use of Biometric Methods: Fingerprint Recognition (known as Touch ID for Apple users, or Hello for Microsoft users), or camera-based Face Recognition (known as Face ID for Apple users, Face Unlock for Android users). While a malevolent actor can phish something you know, steal something you own, it is much harder to spoof something you are when it is based on your unique biometric markers.

Public/Private keys

Another recent security improvement on the web is the adoption of browser-based Public-key credentials extensions (WebAuthN, which we’ll talk about in a minute, uses this scheme).

In a public-key based Authentication model, a pair of keys (public key and private key) are used in authentication. The remote authenticating system stores a user's public key (visible to anyone) and a credential ID, not a password. The private key, which is the secret half of the key pair, is stored securely on the user's device, not on the server. 

This design offers significant security benefits compared to traditional passwords: 

• Security by design: The server has no shared secret with the user that could be compromised. The public key is useless to an attacker on its own.
• Phishing resistance: The private key is cryptographically bound to a specific website domain, so it cannot be used on a fake phishing site to trick the user.
• Data breach protection: If a server's database is breached, the attacker can only steal public keys and credential IDs, which cannot be used to impersonate a user.

What is WebAuthN ?

WebAuthN is the latest version of the FIDO Alliance’s open authentication standard (FIDO2). It is an effort to bring strong 2FA to the web and is based on the W3C’s Web Authentication API, which is supported by many, if not most, common web browsers.
In a nutshell, WebAuthN brings these attractive improvements to prior 2FA technologies:

• it is the leading open authentication standard on the web: it is widely adopted, can be audited, and comes natively in most recent browsers
• it adds public-key cryptography to most existing 2FA methods, securing them further (with the exception of TOTP, which becomes the least secure 2FA method)
• because most recent browsers are tightly integrated with the hardware and OS they run on, it brings Biometrics (aka "something you are") to web authentication, alleviating the need to procure physical keys

What does it look like in Kentik Portal ? 

To enable WebAuthN we've made changes to the User Profile section's Authentication tab, surfacing these new 2-Factor capabilities now offered to users - 

but before we dive into these changes, let's summarize the levels of security now offered by Kentik Portal per Authentication method and outline their respective security levels:

Multiple 2-Factor Methods per user

Kentik still offers each user to configure multiple 2-Factor Authentication methods in their User Profile – this allows users to configure backups or configure alternatives between when they're at home and on the go. A user can configure and name as many of these as they desire.

These Authentication methods are now split in 3 separate tables (click the button on the top right of each table to add one):

• (1) Legacy Methods: 
  Least secure 2-Factor - will include your Legacy Hardware Keys such as YubiKeys, and your TOTP.
  You can re-create a new entry for your YubiKey in the Security Keys table, which will make them WebAuthN compliant (more secure): we strongly encourage you to do so !
  Because Time-Based One-Time Passwords aren't compatible with the WebAuthN standard, they will stay in this "Legacy Methods" section, we advise to move away from them.
  That being said, they're still a better alternative than no 2-Factor.
  
  
• (2) Device Authenticators:
  These are Hardware/OS level biometrics such as Apple's Touch ID and Microsoft Hello - they are considered to currently be the most secure methods, because they correspond to the "Something you are" principle.
  Registration of these via the Enroll Device button is natively supported by most recent browsers using a common UI.
  
  
• (3) Security Keys:
  These authentication factors include both Hardware USB Security Keys (such as Yubikey, or Google's Titan- both FIDO and FIDO2), both natively WebAuthN compliant -with FIDO2, they come with a PIN code.
  In addition to these keys, you can also configure a mobile based (both iPhone or Android) WebAuthN compliant methods in this section. In this clever method, a QR code is presented to the user at login time, triggering the device's biometric native UI to proceed with a Face ID / Face Unlock verification.

When multiple methods are available, authentication will always prioritize the Device Authenticators first, via a native browser prompt. If other WebAuthN methods have been configured by the user such as a YubiKey or an iPhone/Android Mobile Authentication - these will be available as part of the same prompt by choosing Other Methods. (see screengrab below)

As a user, what should I do ?

This choice depends a lot on the Security policy dictated by your company, which you should always conform to.
With that said, as outlined by the previous diagram in this article comparing the security level of the various available methods, Kentik highly suggests that you always opt for the most secure one possible, which is encompassed in the following recommendations:

• Always use 2-Factor – plain password authentication is unsafe.
• If your current 2-Factor is TOTP, you should consider adding a WebAuthN compatible one now – in this case HW based biometrics are your best choice since they’re available on any recent laptop or mobile device.

• If your current 2-Factor is a YubiKey, you should consider

  • re-registering it in the Security Keys section to add WebAuthN to it
  • adding a biometrics-based Device Authenticator if your computer allows it, it will be prioritized over the YubiKey
• Try to have at least two methods configured, in case you lose one of them or if it happens to get compromised – so that you won't lose access to Kentik portal.

As someone who is responsible for Kentik App Security, what should I do ?

As a security focused Kentik Administrator,  you want to increase Authentication Security for all your SaaS Applications, Kentik being no exception. To make your job easier of migrating users from a weaker 2FA to a stronger, WebAuthN 2FA, we added a filter in the Company Settings > Users screen to identify users based on their 2FA settings:

...where Strong points to WebAuthN 2FA methods and Weak (Legacy) all the other, least preferred ones. Note that the Only Weak option will let you identify those of your users that haven't yet migrated to a stronger, WebAuthN based 2FA method.

Additionally, a new Custom button appeared at the top right of the Users table, which will let you add two new columns in - to help Kentik admins track 2 Factor adoption within their company:

• Strong Authenticators: number of WebAuthN 2Factor Authenticators configured
• Weak Authenticators: number of non-WebAuthN 2Factor Authenticators configured

What's next for Kentik Portal Authentication ?

Making 2-Factor authentication mandatory

At this juncture, we're seriously considering this further step as the next one. There are a couple ways we could go about doing so: 

• In a first step, we could expose a company-wide setting where your security staff could set it as mandatory for your tenant to respect your company's security stance, with a disabled default to make for a smooth and easy transition.
• In a second step, we could make it mandatory by default and bake it in the user registration/onboarding process.

One of the reasons we haven't made a call about it yet is that a lot of customers have a centralized AAA strategy to access their SaaS apps that goes through centrally managing it via SSO, with the implication that the underlying SSO should take care of the multi-factor strategy.

Do let us know what your preference would be on the matter!

Do let us know what your preference would be on the matter !

A note on Password-less authentication

One of the eventual benefits of WebAuthN is password-less authentication such as PassKeys: this standard converges towards allowing users to register to a web application without providing the proverbial insecure password and exclusively replace it in our user profiles data store with the generated Public Key from the initial WebAuthN challenge.
While this is one of our long term goals, password-less is not part of this release, as it requires us to completely overhaul the user registration process.

Still, do let us know if password-less authentication is something you'd like to see in the product in the future.