Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WebAuthn + Atomic Authentication #136

Open
joepio opened this issue Sep 19, 2022 · 0 comments
Open

WebAuthn + Atomic Authentication #136

joepio opened this issue Sep 19, 2022 · 0 comments
Labels
authentication related to key management, signin processes

Comments

@joepio
Copy link
Member

joepio commented Sep 19, 2022

The WebAuthn specification is a secure and user-friendly system for authentication. It uses public keys, signatures and hardware crypto linked to origins to prevent phishing attacks and skip dealing with passwords. All major browsers support it, although the UX is sometimes not ideal (e.g. on firefox we can't use MacOS fingerprints).

Here's how registration feels:

UX on safari MacOS / iOS is great:

Screenshot 2022-09-19 at 12 58 59

UX on chrome is a bit more confusing (it should provide a sensible default / big button), but more powerful:

Screenshot 2022-09-19 at 13 08 17

However, if you set the authentcation type to Platform (TPN), this screen becomes easier:

Screenshot 2022-09-19 at 13 11 15

Future

  • The big three (apple, google, microsoft) will work on expanded support for credential sharing with FIDO, which should standardize a UX for using your phone to sign in. Let's hope Mozilla also joins this!
  • Credential management API

Implementation suggestion

  • We only support the Platform (TPM) authenticator type. This means no confusing selection screens and weird UX for partial cross-browser support
  • If the client does not support this, we fall back on a less secure / less standardised alternative (e.g. store private key with web.crypto).

@adileo you'll find this interesting

@joepio joepio added the authentication related to key management, signin processes label Jan 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
authentication related to key management, signin processes
Projects
None yet
Development

No branches or pull requests

1 participant