Enabling Secure Authentication With WebAuthn

Secure Authentication With WebAuthn

We use various verification and authentication methods to authorize user identities, secure access to accounts, and track user activities on our websites. For different systems, most users may use the same credentials or they already have two-factor authentication or Webauthn set up if they are concerned about their account security and Moreover, having a second security layer is significantly more secure than a password-only approach.

During an attack, an attacker can do the following things:

  • The hacker will send the user an error message and request to respond with a verification code to verify the identity, if the user responds to the fake warning message with the verification code, the hacker can bypass the second stage of 2FA.
  • The attacker can create a convincing email that appears legitimate but contains a connection to a phishing website (a fake website pretending to be a genuine website). When you click the page, you will be directed to a fake website.
  • Also, if the attacker phished the backup authentication verification codes and once the attacker enters into the account, he has complete unauthorized access to it.

Why do we need WebAuthn?

WebAuthn is based on Public-key cryptography and uses a browser-based API that allows for web applications to simplify and secure user authentication. If the database holding user credentials gets hacked, they will just get the public keys, which are useless to attackers because public keys are useless without the corresponding private keys. The private key is stored on the device safely, while the server stores the public key and creates challenges for the authenticator to sign.


WebAuthn cryptographic login credentials are identical to all websites, and they never leave the user’s device or are never stored on a server. Phishing, all types of password theft, and replay attacks are all eliminated with this security model.

Convenience with advanced security:

WebAuthn works with simple built-in or existing login methods such as Windows login, fingerprint, or by leveraging FIDO2 security keys so that users don’t have to set up new credentials.

Privacy majors:

As WebAuthn uses a new pair of cryptographic keys for each website, 3rd party sites can not gain access to your account on other sites. Also, your biometric data never leaves your device.

miniOrange supported Webauthn methods

Enabling WebAuthn for your WordPress Website

miniOrange currently is the only way to get reliable functioning of WebAuthn into your WordPress Sites. On a WordPress website, using the miniOrange’s Webauthn plugin, you will be able to use WebAuthn as a second or even a third factor. miniOrage provides a secure two-factor authentication mechanism plugin for multiple platforms (WordPress, Atlassian, Drupal, Magento, Moodle) along with 2fa integration with popular Web/mobile applications such as Office365, OpenVPN, Paloalto, Sonicwall Global VPN, Fortinet, Cisco Anyconnect, React App, Apache, ASP.net, PHP, Nodejs, etc which adds an extra layer of security to your company’s databases and applications/website. Through these plugins, you will get access to several authentication methods that can restrict the user’s credentials from being shared with anyone, on purpose, or by accident. When the user enters his/her correct username and password they are prompted with a second-factor authentication page, in order to log in successfully.

Further Reading



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
MiniOrange Inc

MiniOrange Inc

miniOrange Single Sign-On (SSO) & Multi-Factor Authentication (MFA) solution for more than 5000+ pre-integrated applications