For those unaware, WebAuthn is an open standard for second-factor authenticators, where the second factors can take several forms. For example:
- There are hardware USB keys from multiple vendors.
- Windows has built-in WebAuthn support as long as you configure Windows Hello.
- Most mobile phone browsers support WebAuthn with the phone's biometric sensors, and
- If you run a recent enough version of the mobile operating systems, you can also use the phone as an authenticator for a desktop computer through a QR code (the browser will generate said QR code), kind of as if it were a wireless USB key.
- I know there's also the intention that ordinary password managers should support being WebAuthn authenticators, but I'm not sure if the browsers have added the required APIs for that yet, since non-hardware-based WebAuthn is still a somewhat recent development and is still evolving.
- Again, it's an open standard, so there may also be other implementations out there that I'm not even aware of.
There are a couple of advantages to using WebAuthn over ordinary passwords, for example:
- To begin with, and most obviously, if you choose an appropriate authenticator, it is 2FA. Even a passphrase-protected software implementation like Windows Hello with PIN still counts as 2FA, since you need not only the passphrase, but also the actual computer that the FIDO key is stored on. Since Windows Hello also runs outside of the browser, it makes it more robust against potential attacks that might use exploits in the web browser itself.
- Since you effectively register one key per authenticator, if you have a system that is lost/stolen/exploited/whatever, you can simply log in elsewhere and remove its key, without having to change the whole account password.
- WebAuthn uses asymmetric encryption for its authentication, so there's no sensitive data stored server-side which could be exploited in case of a data leak.
- Even if you keep a password on your account, using WebAuthn for the most part still means that you're never exposing that password to potential infected browsers or other MITM attacks.
The Haven website doesn't yet support completely removing your password, but if you effectively want to do that, you can just use a ridiculously long random-generated password and just forget about it. Another recommendation might be to choose a password that is longer and more complex than what you'd normally use for convenience reasons, and be okay with that since you can use a more convenient WebAuthn authenticator in the common case.
Keep in mind, also, that account recovery through your e-mail account will keep on being possible, so your account won't be more secure than your e-mail account is. Not saying that's not secure enough, but it might be something to be mindful of.