Bringing WebAuthn to Salesforce

In the current digital context, it’s difficult to go a week without a new high profile security breach making the headlines. It has become critical to secure all aspects of our digital lives. Our responsibility as users is great (not reusing passwords, activating Multi Factor Authentication as much as possible, …). But our responsibility as business owners, managers and developers is greater.

Gone is the time where we would just develop an app, add a login form on top of it and call it a day. Customers have more expectations about the User Experience and the security we use to protect their data.

While login forms have long been dominated by Email & Password flows, it has been shown time and again that it’s no longer possible to sustain a good security with it alone. Enter into the picture Multi Factor Authentication with varying experiences — SMS, TOTP, Push Notifications, Security Keys, …

In native mobile apps, we have been using biometrics for the last few years. But this simplicity has been missing from the Web.

Enter WebAuthn. I won’t go into the details and the inner workings of WebAuthn, you can find the information you need in other articles.

WebAuthn can be used as a way to have a multi factor authentication on the Web using biometrics (TouchID, FaceID, ScreenLock) and Windows Hello. WebAuthn does more, but we will focus on biometrics on this article.

We believe that WebAuthn has great potential to improve the overall UX and Security of our users across the Web.

This is why I am proud to share that WebAuthn support has landed in CYM-Identity v0.10. It supports both platform authenticators (biometrics) and also cross platform (security keys).

Salesforce has had U2F support for a long time now, but it has always been restricted to security keys and only to internal profiles (sales , field services, …)

With CYM-Identity, we want to democratize WebAuthn across the Salesforce ecosystem and have the most impact possible, both from a UX and Security perspective.

WebAuthn Approach

  1. We focus on bringing WebAuthn to Salesforce’s Experience Cloud (Communities) first
  2. We will support WebAuthn as a second factor first
  3. We must allow each user to have multiple WebAuthn credentials (taking into consideration account recovery and the fact that users may have different devices)
  4. We must provide a developer friendly API which can be used to add WebAuthn. We will not package the UI with the implementation. Branding and UX is important and different for each company, so each can build its own
  5. We must provide a Sample UX to show best practices of WebAuthn platform authenticators

With v0.10 we have completed all of these targets.

You can watch it in action in the video below

Go deeper

This is just the first step and we would love to hear back from you :)

Digital Identity specialist, Founder of CYM-Identity