I wonder why I barely see this option on websites altough it seems so perfect to me. Is the WebAuthn protocol complicated to implement or are there any other downsides I might overlook?
Passkeys is a new FIDO standard that will let the private keystore be backed by the cloud. It was added to WebAuthn fairly recently. Having keys tied to specific physical devices was a terrible & frustratingly limited scheme that never had any hope. Now that there's something a little bit looser, there's some small hope WebAuthn starts to become interesting & viable. https://developer.chrome.com/blog/webauthn-conditional-ui/
Another huge challenge is that there are so very many ways for developers to use this tech. There are a truly humbling amount of scenarios & flows one can set-up. Many of the most direct paths continue to have the user already set up an account via regular email/password, so users still end up doing the same account management anyways. I'm missing the link to the wonderful wonderful guide I spent a couple commute rides reading, but it was one of the longest most technical pieces I've read in quite a while. "Introducing the WebAuthn API" is perhaps a reasonably ok substitute. https://medium.com/webauthnworks/introduction-to-webauthn-ap...
Also now your Windows Hello PIN and your screen unlock PIN on Android will be your master password to all websites. That's a huge new risk for real people.
On Windows they don't even bother making a password option which could at least imply that a longer PIN is possible. Windows also asks for the same everytime which strongly encourages making it short.
Although I suppose nobody cares because isn't your PIN already your master password on Android/iPhones for your appstore and payments...
In short I don't think PINs should be allowed for use with webauthn and these devices should have a very user friendly configurable timeout so that users don't have to enter it nonstop. If I logged into my bank 5 seconds ago, maybe it's okay for me to also log into my second bank without prompting for my master password aka PIN again.
So instead of having a physical device you own act as a second factor, you are now vendor-locked to a proprietary authentication solution for the entire login process. No thank you!
The entire point of two-factor authentication is to have, well, two factors: something you know and something you have. Using the PC itself as token was already problematic enough as it has a massive code base and runs all sorts of untrusted code so it is likely to be compromised at some point - but at least that was somewhat excusable due to convenience making it accessible to way more people. But getting rid of the rest of the credential and solely relying on the OS is just insanity.
I was ready to give up until I realized that maybe "internal sensor" means Windows Hello on my machine and yep it does. But no real user is going to click through these security sensitive popup dialogs until Windows Hello shows up as an option. My verdict is that it's still clearly only for techies.
And when I cancel the dialog it prompts me to "setup my security key". Just terrible ui, nonstop popups.
Edit: Firefox shows me the Windows Hello option immediately, that should be the default on desktop.
> Having keys tied to specific physical devices was a terrible & frustratingly limited scheme that never had any hope.
I disagree. I think it's great having it all under my own control. What's important though is to be able to add multiple keys which many sites don't offer.
Having my keys under control of apple or Microsoft sounds to me like a terrible and frustratingly limited scheme.
But passkeys doesn't rule out physical keys so if people want to get deeper in bed with big tech they can, while I can keep my physical keys.
Wow, the main reason to use a dedicated device is to avoid someone else get access to the keys without physically accessing the device. And now the key is voluntarily surrendered.
I'm glad it's slow, the current "solution" to tie your credentials to a device that can be lost, stolen, or broken with the option to sync them to a cloud controlled by big tech companies is abhorrent. And adding more devices is not the answer either.
hard disagree. my favorite workflow for high value accounts is webauthn backed by secure enclave with hardware key backups. it's really low friction from ux perspective and it frustrates me when sites don't support it.
You're listing only the negative aspects, but in truth it's all tradeoffs. What you get is fishing-resistant authentication, that's pretty easy to use.
> And adding more devices is not the answer either.
Why not?
What's your ideal authentication solution?
Two things I'd love to see: Something like Mozilla Persona, and maybe SSH key authentication in the browser. No idea how I'd manage and back up my key though. Don't think it's easy for the broad masses eitehr.
Not sure everywhere else, but within the Ruby community the ‘devise’ gem is most popular auth plugin.
Discussion are currently underway as to how to refactor the code to make passwords second class citizens. And further whether to factor in design for MFA or just to bypass straight to adding passkey support.
It’s major replumbing to essentially move username/password to be one of many, within the auth framework.
Once this is resolved in devise thousands of Ruby/rails apps could add support overnight, but it seems to be getting a little stuck on the question of the best way forward (and someone to do all that heavy lifting).
Join the conversation if you have something valuable to add:
My guess as someone who's been in a position to implement it a few times but haven't gotten to:
- "Upstream" Support, For various combinations of stacks I've worked on, there has always been one component that didn't support it cleanly, (Flutter x Ory was my last attempt for example). If it was as easy as "just" enabling it I'm sure it'd be more popular, but when your provider or tech stack doesn't support it out of the box it's usually not worth the effort to implement it from scratch.
- Customer support. This has many sub problems. At my current job, customers get confused between social login and email/password all the time. Adding a newer more complicated technology would be a recipe for disaster.
Similarly, because my job deals with money in a country where mobile theft is fairly rampant, the additional burden of trying to reassociate a users public key/account/device is problematic.
Finally, I think the concept of managing private keys for a user is fairly complicated, though with passkeys and google/apple syncing your private keys for you I hope to see this burden fall away, and with it the rise of webauthn
I would say because it relies on an hardware key, which few of your users are going to have anyway. Any tech requiring an hardware component is going to be much slower to deploy.
I know there is still much interest in deploying it for internal/employee authentication in large organizations where you control the app login and the employee hardware. Some organizations that wrongly deployed multi factor auth based on SMS have realized that was a poor choice and are looking for alternatives.
> I would say because it relies on an hardware key
This isn’t true on Apple, Google, or Microsoft devices which have a trusted hardware store – I use my MBP’s Secure Enclave for 90% of my logins since it’s just a Touch ID check.
I'm not a huge fan of removing the 'two' from 'two factor authentication'. If people can login with just their device, which could be stolen, I don't think it's as secure as a password+device based 2FA alternative
From a practical standpoint, i dont really think it matters.
The real threat 2fa auth solves is the fact people blame the site operator when they are hacked. 90% of the time it is due to reusing a password. The other 10% it is due to phishing. WebAuthn stops both. 2FA works not because it adds another factor, but because it removes choice from the user so they can't screw it up.
On Apple platforms, a biometric authentication is required to proceed with webauthn, so technically it is 2FA (something you have and something you are).
I currently authenticate with my fingerprint to 1Password, which then autofills a random password and an OTP code. That fulfils my security needs, and I'm unwilling to migrate to something harder to use.
Nearly everyone I know has less tolerance for annoying security than me, so I don't see how WebAuth can possibly succeed.
It’s not that bad to implement, especially since there are a lot of OSS libraries.
The problem IMO is that it will, for most use cases, unconditionally authenticate you to a browser, not a physical token. And that will confuse a lot of people (and make some security engineers twitch).
Why not a token? Lets be frank, pretty much nobody has a yubikey style token, and getting average users to use their phone as a token over Bluetooth is a recipe for support apocalypse.
For bonus adoption friction, IT has trained a generation or two of users to not click on anything that could possibly compromise a computer. And webauthn requires actions often associated with granting permissions to your computer (Touch ID, Bluetooth access, plugging something into usb, etc).
Passkeys are deliberately designed to avoid the issues with Bluetooth pairing. This is why a QR code needs to be scanned - devices do not need to be paired.
true that's yet another big problem I see with this: The user is prompted to enter his OS PIN/password/biometrics to random websites. He just has to trust that the popup wasn't faked and that his OS password isn't somehow transmitted to the website owner. That's a lot of trust to give to some random website. Precisely because the user won't see it as a OS trusted workflow, he sees it as a website that somehow made a Windows login pop up. He probably sees OS popups asking him to install something or allow notifications every few hours and they are rarely legitimate. Now suddenly this new popup is totally legit? Tough sell.
They should have just created this around client certificates like another poster said and then the browser lets people pick and save the certificates to disk and now every user understands that websites will ask for his certificate files and that's okay because those aren't his real OS login.
I don’t know the answer, but this is a pet peeve of mine.
It’s especially frustrating when sites won’t let you enroll for 2FA with a hardware token. Instead they require that you start with some crap “authenticator” app first. Looking at you here, Gitlab and ProtonMail.
It doesn’t provide any benefit to site operators. There are no punishments, drawbacks, or sticks to prevent web operators from shrugging off and ignoring WebAuthn in favor of implementing the bargain basement choice, user/password.
Sign in with WebAuthn via hardware touch sensors is incredibly effective, but is also not an option for a considerable fraction of each site’s users. So it’ll always have to be a second method, not a first, and it comes with privacy hindrances for the greedy (think: Apple Private Relay integrated UI).
Browsers would need to start presenting security warnings for classical password autofill to push adoption to the next level.
Eventually the goal would be to remove username & password altogether. That would be MUCH simpler for developers. No email integration for forgot password flows, no need to hash and store credentials, etc. WebAuthn is dramatically easier to implement than passwords.
With how even banks rely on SMS for 2FA these days, I think this stuff just isn't on most companies' radars. It adds some convenience but until whoever is in charge of setting out a road map is convinced this is useful or something users may want, there's little benefit to spending the dev time.
I use my phone for this stuff because Linux doesn't really support this stuff without faffing about with command line stuff and these keys are quite expensive (especially considering you need two to be safe).
I'm honestly considering changing banks because my bank only supports SMS 2FA, and it triggers for every login. They need to at least adopt old school TOTP. In 2023, relying on SMS feels irresponsible for a side project let alone a bank.
I'm currently looking into deploying hardware keys for some of our users at work (mostly through Microsoft SSO which is FIDO2 passwordless), and one of the roadblock on our end is the inability to define our own minimum requirements for the PIN. Educating our users about the importance of using a secure PIN is indeed a priority, but it would be nice from a security standpoint of we could enforce some policies on our end to at least eliminate the possibility of settings some obviously weak PIN (0000, 1234, etc)
> it would be nice from a security standpoint of we could enforce some policies on our end to at least eliminate the possibility of settings some obviously weak PIN (0000, 1234, etc)
If your security model requires you retaining that level of control over your user's device security, MDM seems like the only option.
I've been working on a passkey-/WebAuth-first startup for the past months and I fully agree with most of the opinions for the slow adoption so far. From my experience, it's all comes down to two major obstacles: A) process / product flows and B) technical implementation.
A) Passkeys / WebAuthn require a completely different user behavior (compared to passwords which everyone is familiar with) and thus a lot of user education. Many product managers see the benefits with less friction, but are super cautious to introduce passkeys for existing systems, especially when users are not too tech-savvy (if you're building a new system for a technical audience, then things look different). Besides it's a huge product management effort to cover all cross-devices/-browser/-platform flows and all edge cases that are involved. Due to the device-boundness of passkeys and the different UI patterns on different device/browser/platform combinations, it gets quickly complicated. Besides you still have to support all your existing login methods: passwords, MFA, social login, SSO. So many product managers looked for larger companies to show best practices for passkey / WebAuthn flows, but so far there's just a handful of these companies, so product managers rather wait for broader adoption.
B) When talking to developers, many have heard of WebAuthn or the FIDO alliance, but integrating passkeys into your existing auth flow is not a 60 minutes task. You have to maintain your own WebAuthn server, deal with different forms of recovery and have to stitch everything together with the existing accounts & login methods. So far there's not many providers who offer easy WebAuthn / passkeys out-of-the-box and many like FusionAuth or Auth0 charge quite a lot for it. Moreover, passkeys / WebAuthn authentication is not anymore a backend-focused form of authentication, but a lot more frontend-loaded, as the UX plays quite an important role and the WebAuthn flow requires JavaScript to call the OS-native APIs. This makes things way more complex than just calling an email-password-auth endpoint. Besides, passkey implementations for native apps (Swift, Kotlin, Flutter) are very basic and good documentation for cross-device flows is lacking here as well.
Nevertheless, there's a lot in the work under the hood and I'm still bullish that things will look pretty different in the near future.
I've asked about it at FOSDEM this year but please when your software supports webauthn ask for the following factor in order: 1/ login 2/ webauthn 3/ password.
This way webauthn will catch phishing site before you loose your password...
It’s easy to implement, the reason it’s not more popular is because services are including support for other 2FA options, and users pick the path of least resistance.
Portability is still an unsolved problem, no matter how often FIDO Advocates say that it's solved (no 1Password is not actually portable, migration still isn't built into the spec as far as I can tell).
I'm always happy to be proven wrong with this. Let me know if I can today (not maybe in the future, but right now) pull down an Open Source codebase onto my Linux computer, compile it myself without submitting some kind of validation check to a 3rd-party that will sign the code, and then batch export from an iPhone/iCloud account into that program so I can use it as provider without individually signing into any of those accounts.
If not, then it's not portable. And that's why people (at the very least people like me) aren't using it, because it's transparently an opportunity to increase vendor lock-in and to allow services to dictate that I can only log into previously client-agnostic accounts using a small set of proprietary platforms. I know that's not the intention of the FIDO Alliance, but their intention doesn't matter if the end result is the same.
Passwords do legitimately have a ton of problems and there is a theoretical version of Passkeys that would be amazing that I would be praising if it existed today. It's not that the idea is bad, there are changes to the standard that could be made that would make this good -- some of them would be controversial, some of them would make security purists upset. We'd need to have a conversation about what hardware attestation is actually going to be used for on a mass-market. But it could happen, it's not that passkeys are inherently bad.
But you will have to drag me kicking and screaming away from a format that is client-agnostic and inherently portable into an authentication mechanism that trivially enables vendor lock-in. Don't tell me about what companies might do in the future, the companies launched products in the present that don't support migration. Fix that, and then I'll listen to conversations about how Passkey/WebAuthn is better.
HN gets a public key, that's the account. The private key is stored on your device, say on iOS it would be stored encrypted in the secure enclave and accessible via TouchID/FaceID.
There is little to no point in stealing the HN user database at that point because that's all just useless public keys, it has no passwords.
If you wanted to add a device to the HN account you'd login, go to the settings, and generate another pub/private key for the new device rather than the traditional "change password". As there is no password. Most likely you're familiar with a variation of this already from sites like Github.
You can use it with Chromium on Linux, but there's two parts to WebAuthn: the user-agent, and the client device/software that holds the key. So, WebAuthn shows you a QR code which you can scan. That happens on the user agent when you try to log in. It's no different than Windows.
But the client software is a bit different. The client software scans the QR code and then provides proof you're the user you claim to be (normal pubkey cryptography) and then the user-agent and server do the rest of the dance. You can look at the spec, I can't remember all the details. But then the question is, what client software do you use?
Most people use their phone for this part. The Phone scans the QR code. There's an implementation advantage for most phones: they can put the key in cryptographic storage on the device; this is one thing most bog-standard PCs are behind on (except Apple with the Secure Enclave, which was inherited from iPhones.) But again, there's no need for the crypto storage here. That's an implementation detail. Again, it just needs to scan the QR code and provide the proof. How that happens is totally arbitrary.
So in theory you can use any software that can just scan a QR code and abide by the spec, for the second part. You could write your own code to store the keys in your GPG keychain, or whatever. But in practice, phones have the most mature implementation today. Most people use phones. They're the most robust and portable solution for most people right now. Presumably "sometime soon" things like 1Password, BitWarden, KeePass, and all those others -- their software will support scanning the QR code and then providing proofs. They'll sync your encrypted database or whatever too instead of using a hardware crypto enclave, but again: implementation details.
So there's nothing about "blessed devices" here or whatever. I think in practice it's just that this is all relatively detailed and security sensitive components, both the user-agent and client software. So those companies are in the best place to implement all that shit. They also tend to have the advantage of their moat; it's easy to onboard Android users via Chrome or Apple users via Safari. It's relatively new, and so the demand for alternative software solutions hasn't reached any critical mass, either.
Also: all of this change the login model a bit, so you need to be able to e.g. associate multiple keys with one account. That's a server-side thing; maybe you need a schema change for example. There's some effort to be spent here by all parties.
Firefox does not support Passkeys at the moment on Linux. Chrome and Chromium do, I believe.
You could possibly hack some shell scripts to read a QR code from a screenshot and then put/retrieve the key from `pass` or whatever.
I think it's because it's a pain to have one key per device. To solve this, you'd need a service like iCloud Keychain (for Apple devices), but that only works for Safari and other Apple stuff. I think once 3rd party apps (like 1Password - see https://www.future.1password.com/) start supporting the syncing of keys, you'll see more use. Alternatively, if you could use iCloud Keychain with Chrome and Firefox, maybe that would work, too. Looking forward to this future!
One possibility for WebAuthn over email/password is the easy retrieval of local, strong and domain-unique encryption key material via the prf extension. Support for this is currently limited to Chrome Canary + hardware key, but MasterKale thinks it will be coming to other browsers, and biometric:
They made it too secure. Classic overengineering. The hardware aspect should have been optional from the start.
It needed two things: browser free credential management that didn't need special hardware and a way to move around creds between devices effortlessly.
The security improvements are great but outside of people who care a lot about this (similar to fido2) it makes things more difficult without making other things less difficult.
Doesn't WebAuthn require a Trusted Platform Module or an equivalent hardware solution, like trusted execution environments, for storing keys? This varies across hardware platforms and vendors which why I'm guessing solutions like WebAuthn haven't become ubiquitous yet.
Its a per browser implementation decision, not required by the protocol. Chrome family browsers even ship a pure SW one but it's in the dev tools side.
We use it at work and for whatever reason every time I get it working one one device, it stops working on another. That and it seems to be fragile across the VPN.
rektide|2 years ago
Another huge challenge is that there are so very many ways for developers to use this tech. There are a truly humbling amount of scenarios & flows one can set-up. Many of the most direct paths continue to have the user already set up an account via regular email/password, so users still end up doing the same account management anyways. I'm missing the link to the wonderful wonderful guide I spent a couple commute rides reading, but it was one of the longest most technical pieces I've read in quite a while. "Introducing the WebAuthn API" is perhaps a reasonably ok substitute. https://medium.com/webauthnworks/introduction-to-webauthn-ap...
Nathanba|2 years ago
In short I don't think PINs should be allowed for use with webauthn and these devices should have a very user friendly configurable timeout so that users don't have to enter it nonstop. If I logged into my bank 5 seconds ago, maybe it's okay for me to also log into my second bank without prompting for my master password aka PIN again.
crote|2 years ago
The entire point of two-factor authentication is to have, well, two factors: something you know and something you have. Using the PC itself as token was already problematic enough as it has a massive code base and runs all sorts of untrusted code so it is likely to be compromised at some point - but at least that was somewhat excusable due to convenience making it accessible to way more people. But getting rid of the rest of the credential and solely relying on the OS is just insanity.
Nathanba|2 years ago
I was ready to give up until I realized that maybe "internal sensor" means Windows Hello on my machine and yep it does. But no real user is going to click through these security sensitive popup dialogs until Windows Hello shows up as an option. My verdict is that it's still clearly only for techies. And when I cancel the dialog it prompts me to "setup my security key". Just terrible ui, nonstop popups.
Edit: Firefox shows me the Windows Hello option immediately, that should be the default on desktop.
wkat4242|2 years ago
I disagree. I think it's great having it all under my own control. What's important though is to be able to add multiple keys which many sites don't offer.
Having my keys under control of apple or Microsoft sounds to me like a terrible and frustratingly limited scheme.
But passkeys doesn't rule out physical keys so if people want to get deeper in bed with big tech they can, while I can keep my physical keys.
alsdfjkslfheu|2 years ago
mrjin|2 years ago
account-5|2 years ago
rgreen|2 years ago
perlgeek|2 years ago
> And adding more devices is not the answer either.
Why not?
What's your ideal authentication solution?
Two things I'd love to see: Something like Mozilla Persona, and maybe SSH key authentication in the browser. No idea how I'd manage and back up my key though. Don't think it's easy for the broad masses eitehr.
sunshinerag|2 years ago
evolve2k|2 years ago
Discussion are currently underway as to how to refactor the code to make passwords second class citizens. And further whether to factor in design for MFA or just to bypass straight to adding passkey support.
It’s major replumbing to essentially move username/password to be one of many, within the auth framework.
Once this is resolved in devise thousands of Ruby/rails apps could add support overnight, but it seems to be getting a little stuck on the question of the best way forward (and someone to do all that heavy lifting).
Join the conversation if you have something valuable to add:
https://github.com/heartcombo/devise/issues/5527
edude03|2 years ago
- "Upstream" Support, For various combinations of stacks I've worked on, there has always been one component that didn't support it cleanly, (Flutter x Ory was my last attempt for example). If it was as easy as "just" enabling it I'm sure it'd be more popular, but when your provider or tech stack doesn't support it out of the box it's usually not worth the effort to implement it from scratch.
- Customer support. This has many sub problems. At my current job, customers get confused between social login and email/password all the time. Adding a newer more complicated technology would be a recipe for disaster.
Similarly, because my job deals with money in a country where mobile theft is fairly rampant, the additional burden of trying to reassociate a users public key/account/device is problematic.
Finally, I think the concept of managing private keys for a user is fairly complicated, though with passkeys and google/apple syncing your private keys for you I hope to see this burden fall away, and with it the rise of webauthn
gtirloni|2 years ago
vdelitz|2 years ago
smashed|2 years ago
I know there is still much interest in deploying it for internal/employee authentication in large organizations where you control the app login and the employee hardware. Some organizations that wrongly deployed multi factor auth based on SMS have realized that was a poor choice and are looking for alternatives.
acdha|2 years ago
This isn’t true on Apple, Google, or Microsoft devices which have a trusted hardware store – I use my MBP’s Secure Enclave for 90% of my logins since it’s just a Touch ID check.
egamirorrim|2 years ago
bawolff|2 years ago
The real threat 2fa auth solves is the fact people blame the site operator when they are hacked. 90% of the time it is due to reusing a password. The other 10% it is due to phishing. WebAuthn stops both. 2FA works not because it adds another factor, but because it removes choice from the user so they can't screw it up.
turnsout|2 years ago
Apreche|2 years ago
jameswestgate|2 years ago
iudqnolq|2 years ago
Nearly everyone I know has less tolerance for annoying security than me, so I don't see how WebAuth can possibly succeed.
unknown|2 years ago
[deleted]
falcolas|2 years ago
The problem IMO is that it will, for most use cases, unconditionally authenticate you to a browser, not a physical token. And that will confuse a lot of people (and make some security engineers twitch).
Why not a token? Lets be frank, pretty much nobody has a yubikey style token, and getting average users to use their phone as a token over Bluetooth is a recipe for support apocalypse.
For bonus adoption friction, IT has trained a generation or two of users to not click on anything that could possibly compromise a computer. And webauthn requires actions often associated with granting permissions to your computer (Touch ID, Bluetooth access, plugging something into usb, etc).
jameswestgate|2 years ago
Nathanba|2 years ago
They should have just created this around client certificates like another poster said and then the browser lets people pick and save the certificates to disk and now every user understands that websites will ask for his certificate files and that's okay because those aren't his real OS login.
cvwright|2 years ago
It’s especially frustrating when sites won’t let you enroll for 2FA with a hardware token. Instead they require that you start with some crap “authenticator” app first. Looking at you here, Gitlab and ProtonMail.
mattrick|2 years ago
altairprime|2 years ago
Sign in with WebAuthn via hardware touch sensors is incredibly effective, but is also not an option for a considerable fraction of each site’s users. So it’ll always have to be a second method, not a first, and it comes with privacy hindrances for the greedy (think: Apple Private Relay integrated UI).
Browsers would need to start presenting security warnings for classical password autofill to push adoption to the next level.
turnsout|2 years ago
jeroenhd|2 years ago
With how even banks rely on SMS for 2FA these days, I think this stuff just isn't on most companies' radars. It adds some convenience but until whoever is in charge of setting out a road map is convinced this is useful or something users may want, there's little benefit to spending the dev time.
I use my phone for this stuff because Linux doesn't really support this stuff without faffing about with command line stuff and these keys are quite expensive (especially considering you need two to be safe).
It's a shame, really.
turnsout|2 years ago
m-p-3|2 years ago
DANmode|2 years ago
If your security model requires you retaining that level of control over your user's device security, MDM seems like the only option.
shawabawa3|2 years ago
The point of hardware keys is to protect against online takeover. Physical access is usually game over either way
vdelitz|2 years ago
A) Passkeys / WebAuthn require a completely different user behavior (compared to passwords which everyone is familiar with) and thus a lot of user education. Many product managers see the benefits with less friction, but are super cautious to introduce passkeys for existing systems, especially when users are not too tech-savvy (if you're building a new system for a technical audience, then things look different). Besides it's a huge product management effort to cover all cross-devices/-browser/-platform flows and all edge cases that are involved. Due to the device-boundness of passkeys and the different UI patterns on different device/browser/platform combinations, it gets quickly complicated. Besides you still have to support all your existing login methods: passwords, MFA, social login, SSO. So many product managers looked for larger companies to show best practices for passkey / WebAuthn flows, but so far there's just a handful of these companies, so product managers rather wait for broader adoption.
B) When talking to developers, many have heard of WebAuthn or the FIDO alliance, but integrating passkeys into your existing auth flow is not a 60 minutes task. You have to maintain your own WebAuthn server, deal with different forms of recovery and have to stitch everything together with the existing accounts & login methods. So far there's not many providers who offer easy WebAuthn / passkeys out-of-the-box and many like FusionAuth or Auth0 charge quite a lot for it. Moreover, passkeys / WebAuthn authentication is not anymore a backend-focused form of authentication, but a lot more frontend-loaded, as the UX plays quite an important role and the WebAuthn flow requires JavaScript to call the OS-native APIs. This makes things way more complex than just calling an email-password-auth endpoint. Besides, passkey implementations for native apps (Swift, Kotlin, Flutter) are very basic and good documentation for cross-device flows is lacking here as well.
Nevertheless, there's a lot in the work under the hood and I'm still bullish that things will look pretty different in the near future.
guerby|2 years ago
This way webauthn will catch phishing site before you loose your password...
albertgoeswoof|2 years ago
I wrote about this here https://blog.mailpace.com/blog/why-we-use-webauthn-for-2fa/
In short, we should implement webauthn, and only webauthn for 2FA
danShumway|2 years ago
I'm always happy to be proven wrong with this. Let me know if I can today (not maybe in the future, but right now) pull down an Open Source codebase onto my Linux computer, compile it myself without submitting some kind of validation check to a 3rd-party that will sign the code, and then batch export from an iPhone/iCloud account into that program so I can use it as provider without individually signing into any of those accounts.
If not, then it's not portable. And that's why people (at the very least people like me) aren't using it, because it's transparently an opportunity to increase vendor lock-in and to allow services to dictate that I can only log into previously client-agnostic accounts using a small set of proprietary platforms. I know that's not the intention of the FIDO Alliance, but their intention doesn't matter if the end result is the same.
Passwords do legitimately have a ton of problems and there is a theoretical version of Passkeys that would be amazing that I would be praising if it existed today. It's not that the idea is bad, there are changes to the standard that could be made that would make this good -- some of them would be controversial, some of them would make security purists upset. We'd need to have a conversation about what hardware attestation is actually going to be used for on a mass-market. But it could happen, it's not that passkeys are inherently bad.
But you will have to drag me kicking and screaming away from a format that is client-agnostic and inherently portable into an authentication mechanism that trivially enables vendor lock-in. Don't tell me about what companies might do in the future, the companies launched products in the present that don't support migration. Fix that, and then I'll listen to conversations about how Passkey/WebAuthn is better.
vbezhenar|2 years ago
How does it work? For example I have Linux, Windows, iOS, Android devices and I want to use single HN account on those devices. How do I do that?
I think that anything other than email+password will confuse users and probably not worth to implement.
DANmode|2 years ago
https://learn.microsoft.com/en-us/windows/security/identity-...
Exciting that another one of my tech dreams is coming true!
HopenHeyHi|2 years ago
There is little to no point in stealing the HN user database at that point because that's all just useless public keys, it has no passwords.
If you wanted to add a device to the HN account you'd login, go to the settings, and generate another pub/private key for the new device rather than the traditional "change password". As there is no password. Most likely you're familiar with a variation of this already from sites like Github.
hooverd|2 years ago
aseipp|2 years ago
But the client software is a bit different. The client software scans the QR code and then provides proof you're the user you claim to be (normal pubkey cryptography) and then the user-agent and server do the rest of the dance. You can look at the spec, I can't remember all the details. But then the question is, what client software do you use?
Most people use their phone for this part. The Phone scans the QR code. There's an implementation advantage for most phones: they can put the key in cryptographic storage on the device; this is one thing most bog-standard PCs are behind on (except Apple with the Secure Enclave, which was inherited from iPhones.) But again, there's no need for the crypto storage here. That's an implementation detail. Again, it just needs to scan the QR code and provide the proof. How that happens is totally arbitrary.
So in theory you can use any software that can just scan a QR code and abide by the spec, for the second part. You could write your own code to store the keys in your GPG keychain, or whatever. But in practice, phones have the most mature implementation today. Most people use phones. They're the most robust and portable solution for most people right now. Presumably "sometime soon" things like 1Password, BitWarden, KeePass, and all those others -- their software will support scanning the QR code and then providing proofs. They'll sync your encrypted database or whatever too instead of using a hardware crypto enclave, but again: implementation details.
So there's nothing about "blessed devices" here or whatever. I think in practice it's just that this is all relatively detailed and security sensitive components, both the user-agent and client software. So those companies are in the best place to implement all that shit. They also tend to have the advantage of their moat; it's easy to onboard Android users via Chrome or Apple users via Safari. It's relatively new, and so the demand for alternative software solutions hasn't reached any critical mass, either.
Also: all of this change the login model a bit, so you need to be able to e.g. associate multiple keys with one account. That's a server-side thing; maybe you need a schema change for example. There's some effort to be spent here by all parties.
Firefox does not support Passkeys at the moment on Linux. Chrome and Chromium do, I believe.
You could possibly hack some shell scripts to read a QR code from a screenshot and then put/retrieve the key from `pass` or whatever.
okhuman|2 years ago
https://github.com/authcompanion/authcompanion2
cwalkatron|2 years ago
guerby|2 years ago
If it can be copied any malware will just copy it and done.
effisfor|2 years ago
https://blog.millerti.me/2023/01/22/encrypting-data-in-the-b...
xtagon|2 years ago
badrabbit|2 years ago
It needed two things: browser free credential management that didn't need special hardware and a way to move around creds between devices effortlessly.
The security improvements are great but outside of people who care a lot about this (similar to fido2) it makes things more difficult without making other things less difficult.
Vanit|2 years ago
exabrial|2 years ago
Please and thank you.
mszary|2 years ago
weare138|2 years ago
fulafel|2 years ago
jbverschoor|2 years ago
jacooper|2 years ago
I don't use stock android, windows or iOS, and I'm sure as hell don't want to be locked to one of them if I did.
unknown|2 years ago
[deleted]
killjoywashere|2 years ago
DANmode|2 years ago
I'd be interested to know which proprietary vendor you're referring to.
quasineutral_|2 years ago
unknown|2 years ago
[deleted]
64operator|2 years ago
jackjon|2 years ago
[deleted]