0

Secure Data in Jira and Confluence using WebAuthn

Passwords are difficult to remember, driving individuals to pick feeble ones and reuse them again and again. Passwords are additionally simple to phish, with security attacks that happen from time to time. Even if you have a complex password set for your account, there are multiple ways in which it can be hacked.

Even assuming your password is uncovered and ends up with a hacker, if you utilize WebAuthn, they actually can’t break your record. That is the thing that makes WebAuthn such a strong security initiative.

 

What is WebAuthn?

WebAuthn or Web Authentication API permits web applications to integrate secure verification for both multi-factor and single-factor authentication. Utilizing WebAuthn, web applications can build security to prevent phishing attacks and ease user experience with passwordless verification. This means your Jira or Confluence can be easily configured to use your device’s FaceID recognition, Fingerprint, or any hardware token. In this way, your users don’t need to remember a password for each login, and the login experience will completely be passwordless. 

The Web Authentication API (otherwise called WebAuthn) is composed of the W3C and FIDO. The API permits workers to enlist and confirm clients utilizing public key cryptography rather than a password. As of January 2019, WebAuthn is supported on Chrome, Firefox, and Edge, and Safari.

 

How do you achieve this?

Our WebAuthn plugin is here to solve all of your security issues!

The miniOrange WebAuthn plugin doesn’t request a secret key or any password. This is because it makes a one-time verification token each time you sign in, it fundamentally follows the suggested security practice of making a secure password for each site. 

What’s more, does it use your device’s in-built fingerprint scanner or face scanner or your local credentials? Yes, it does and it does not require any additional hardware which you have to invest in or need to carry all the time, you can simply use your own device’s authenticator to log into your Atlassian applications (Jira, Confluence, Bitbucket etc) securely.

WebAuthn upholds two fundamental classifications of validation: biometrics and hardware security tokens. 

 

What’s the secret behind WebAuthn, how does it work?

An important aspect of understanding WebAuthn is public keys. Public keys can be shared with everyone in the system and anyone can use it. Once the sender has the public key, he uses it to encrypt his message.

Each public key comes paired with a unique private key. Think of a private key as the key to the front door of a business where only you have a copy. The private key ensures only you can get through the front door.  

Together, these keys help to ensure the security of the exchanged data. A message encrypted with the public key cannot be decrypted without using the corresponding private key.

 

How does our plugin work?

Our WebAuthn add-on for JIRA, Confluence, and Bitbucket allows administrators to manage authentication for individuals or groups of users. You can enable WebAuthn for specific users or groups of users, depending on who you believe needs this feature the most.

If a user is experiencing issues with their authenticator, the admin can reset the configuration for that user from the plugin or allow that user to bypass the WebAuthn authentication, so they can access the Atlassian Applications.

 

WebAuthn Architecture Diagram

 

User Authentication requests will be sent using local authenticators. Successful authentication will generate a key pair (public key, private key). Out of which, the public key will be stored in a remote database and the private key will be kept with the local machine.

These two keys will work together to provide the system with an extra layer of security and improve user experience.

While using the WebAuthn, users will be asked to set up the local authenticator to sign in to the Atlassian application, by providing valid credentials.

 

WebAuthn Registration

 

After successful registration of their authenticators, from next time users can use those for logging into their Atlassian application without any hassle.

WebAuthn Authentication

 

Conclusion

Welcome to the promised land in the form of passwordless login. This new method offers just that, a way to remove the need for a password and have automated login via a device/biometric – no second factor  – WebAuthn is the only factor. WebAuthn is based on public-key cryptography.

In a nutshell, signatures are sent between a relying party (usually website) which stores the public key, and an authenticator (device or browser) and a biometric to authenticate you to the device – it’s neat, it’s easy to implement, it has some excellent security features that can help with the safety of your data, prevent phishing using biometric – and a panacea to authentication.

You can try our WebAuthn Add-on for Jira, Confluence & Bitbucket. For reference, follow the step-by-step setup guide to configure Web Authentication add-on for Jira, Confluence and Bitbucket applications. 

In case of any queries, please feel free to drop us a mail at info@xecurify.com.

Leave a Reply

Your email address will not be published.