Passwords continue to be a persistent pain point in web security—tricky to implement safely and even harder to manage due to weak user practices and vulnerabilities like social engineering. Thankfully, we have a robust alternative available: Passkeys via the Web Authentication API (aka WebAuthn).
Passkeys leverage public-key cryptography for authentication, providing a significantly enhanced security over traditional username-password logins. Most commonly users simply authenticate using biometrics (fingerprints or facial recognition) on their device, so also the user experience is better than with passwords.
Here's how Java web developers can leverage passkeys with WebAuthn in their applications today:
1. Implementing WebAuthn yourself
Like username-password authentication, it's entirely possible—and very flexible—to handle passkeys directly within your application. However, this approach involves substantial effort and introduces potential security pitfalls if incorrectly implemented. Still, custom integration allows you to smoothly handle scenarios like requiring re-authentication for sensitive actions and even supports using passkeys as part of multi-factor authentication (MFA).
I discussed this approach in my rather technical post last year, "Forget Passwords: Accessing the WebAuthn API with Vaadin."
2. Using Spring Security
Spring Security recently introduced preliminary WebAuthn support, offering the convenience of integration within a widely used security framework. While the current implementation may feel a bit rough around the edges, e.g., regarding new user registration flows exclusively with passkeys, there's immense value in leveraging a standard security framework.
I have another technical article in the queue showing how to transfer your current app, one that uses Spring Security and username-password authentication, to completely passwordless. If you are keen on this subject, my related demo (with git history) is already on GitHub: Path to Passkeys.
3. Separate authorization server
For applications leveraging single sign-on (SSO), an external authorization server like Keycloak can provide robust WebAuthn support out of the box (Keycloak Passkey Tutorial). Even if you don't require full SSO capabilities, integrating such a server might simplify your passkey adoption significantly.
Excitingly, the new Vaadin Control Center release (version 24.7) includes built-in passkey integration using Keycloak under the hood, greatly simplifying adoption for Vaadin users.
Alternatively, using OAuth 2 providers like Google (without your own authorization server) effortlessly enables passkey authentication. For example, this nice tutorial shows how to do it with Spring Security. The downside of this approach is that you can’t enforce passkeys exclusively, as traditional username-password options remain available.
In short, adopting passkeys provides a substantial improvement in security and UX, offering web developers an effective pathway beyond traditional password headaches. For new applications it should be the primary authentication mechanism, but we should also seek ways to modernize our current apps to utilize passkeys - there are several good approaches to do it!
Have you tried Vaadin 24.7 yet? Check out the release blog and take it for a spin!