Web Authentication (Webauthn) API is a new way to authenticate users without use of passwords. The innovative part of this API that the authenticators are context-aware so this will eliminate phishing as the authenticator won't entertain the phishing site as it isn't registered on the authenticator.
There are 2 phases when dealing with Webauthn, registration phase and authentication phase.
In this phase, the client will handshake with the server on the credential to use in seven steps
- The client (browser) requests registration.
- The server will send a challenge (random numbers), user info and the server info (domain and name) to the client (browser)
- The client will call createCredential in an external authenticator (e.g security key, fingerprint or face recognition) to create new credentials for the site.
- The authenticator will check with the user by requesting fingerprint confirmation, PIN or press of a button.
- Once the user acknowledges the new credential request, the authenticator replies to the browser with the public key and challenge encrypted by the private key.
- The browser prepares the final data and sends it to the server
- The server validates the response and save the data and finishes
The authentication is close to login as
- The browser requests authentication,
- The server send a challenge
- The browser calls getCredential in the authenticator, passing the user info, server info and challenge.
- The authenticator validates the parameters checks the user using PIN, fingerprint or a button press.
- If the user acknowledges the request successfully, the authenticator will sign the challenge with the private key and send it to the browser.
- Browser will prepare the final data and sent it to the server.
- Finally the server will check the received data against the stored keys and authenticate the user if successful.
To Understand more about about Webauthn, read the fantastic MDN article (https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API)
Django-mfa2 (https://github.com/mkalioby/django-mfa2/) is a django app that provides MFA using TOTP (Time based One Time Password), U2F (Universal 2nd Factor), FIDO2 U2F (Webauthn) and Trusted devices (special mode to allow access from devices that doesn't support security keys e.g iOS or common Android phones/tables that don't have NFC or Fingerprint sensors). The app is production ready and in fact is already used in multiple projects in my work and open source projects like AutoDeploy (https://github.com/mkalioby/autoDeploy)
So if you want to secure your Django App using this amazing technology that is supported by MS Edge, Firefox, and Chrome, please give it a try and contact the developer in case of an issue.