Suby Raman
Duo Security
Suby Raman

The Web Authentication API - Imagine a World Without Passwords

At Duo Security, I have been part of a team driving one of the first implementations of the Web Authentication API, a Javascript API recently made available in Chrome and Firefox, and planned for release in all major browsers. The spec aims to provide a single method for securing users across the internet, by integrating with the strong authentication now built into devices, like Apple’s Touch ID or Microsoft Hello; instead of passwords, their fingerprint, face, or voice can log into a web application.

In this talk I’ll discuss the history and weaknesses of passwords, and how the Web Authentication spec attempts to solve these problems with public-key cryptography. I’ll give code samples describing the basic implementation on the server and client. I’ll describe the user-experience and engineering challenges faced by my team in integrating the Web Authentication API into our product. I will conclude with thoughts on the prospects of Web Authentication, and why I feel it could have a significant impact on the way developers and users think about security.



Suby Raman is a multimedia artist and full-stack software engineer, working for Duo Security out of Ann Arbor, Michigan. At Duo he has helped drive development of passwordless authentication and phishing assessment tools. He has an avid interest in GPU programming to create interesting visual experiences, using platforms like WebGL and TouchDesigner.

He hopes to one day create great art with data generated from his cat.