WebAuthn PRF extension #798
Comments
|
Any update on this? |
|
This is important. Going "passwordless" is supposed to be the goal of passkeys. Many things that are end-to-end encrypted, where the service provider doesn't have the ability to decrypt data, depend on the password to derive cryptographic keys client-side. Passkeys can't replace passwords for end-to-end encrypted services if you can't also derive a consistent key for end-to-end encryption from them. This extension is needed for that. |
|
See also: https://bitwarden.com/blog/log-into-bitwarden-with-a-passkey/ |
|
I'm supportive of this extension. There was some discussion of alternative approaches in 2020. However, there are several clear and beneficial use cases for the PRF extension, and the implementation cost is low. I also see no technical flaws in the proposal. Suggest |
|
I implemented PRF using Google Chrome as a test platform in Notesnook and I must say, the user experience is very seamless and secure. Would love to see this in Firefox & Safari for broader compatibility. |
|
It would be great if Firefox supported this. My plan is to go passwordless with Bitwarden and Passkeys. |
|
@martinthomson I understand that this has been accepted and is planned to be implemented? Can you point us to some links/issues where we can track the progress of this? Very much looking forward for this feature! |
|
@pmalek The tracker for this particular feature is here. It's part of this larger task for some related standards. Am not mozilla, but it looks like it won't be a priority until after the |
|
@jschanck (JFYI: @pmalek | @martinthomson | @thecodrr | @agl ) This is a description by Bitwarden on how they use PRF for passkeys: This is a graphical, gentle interactive introduction for learning how the WebAuthn API works: https://webauthn.guide/#registration See https://levischuck.com/blog/2023-02-prf-webauthn for a demonstrator test site for testing the PRF extension implementation! Shows and describes a node.js library and app for testing: https://www.passkeys.com/guides The verbose explanation and the intermixed code on the page may help to understand what needs to be implemented and the site can be used for testing. It is functional with Chrome. Testing the Registration: https://levischuck.com/blog/2023-02-prf-webauthn#heading-registration Using Chrome, clicking the button "Register" opens the registration of a username for this demonstration site. If the Bitwarden extension is enabled, the passkey is registered (saved) by the Bitwarden extension (otherwise by Windows Security using a device or Windows Hello). Testing the Authentication: https://levischuck.com/blog/2023-02-prf-webauthn#heading-authenticate Using Chrome, clicking the button "Retrieve PRF" opens the confirmation of using the passkey to authenticate with the demonstration site. If the Bitwarden extension is enabled and the passkey for the site is registered, the the Bitwarden extension offers to confirm the passkey, otherwise by Windows Security should do the same using a device or Windows Hello. This is where I see that PRF is requested in the options // Important part: the extensions!
extensions: {
// WebAuthn uses the same structure for registration
// as authentication.
// While it looks like we are asking the authenticator
// to evaluate a PRF over the salt, this is more
// of a not equals null, not empty check that sets
// the authenticator up for future PRF use.
prf: {
eval: {
first: state.salt,
},
},The answer if PRF is supported is then checked in the code here: // See if PRF is supported or not
const extensionResults = regCredential.getClientExtensionResults();
if (extensionResults?.prf?.enabled) {
state.prfSupported = true;
} else {
state.prfSupported = false;
}The option // Ask the browser to find and authenticate with the selected credential
const authCredential = await navigator.credentials.get(options);For PRF, Some links on PRF: forcedotcom/cli#2482 AFAICS, these are the API functions that are called here: And according to this page, a huge part of the WebAuthn API is already implemented: Compared to that, PRF looks like a miniscule detail that is missing, but it would finally add that missing piece that makes it all work much more often. I guess that the interfacing from to authentication extension should already be implemented for WebAuthn without PRF, so (I guess) hopefully, only the addition of authentication using PRF needs to be added. Of course the https://w3c.github.io/webauthn/#prf-extension is needed for the actual implementation, but also the existing infrastructure where the PRF extension would be added would be of interest. One aspect that looks to be like an essential hint is this sentence near the end of the site:
Are these preconditions in place so PRF can be implemented? |
|
In the Chromium PRF ticket at https://issues.chromium.org/issues/40140659#comment21, this test suite was used: It has 3 different PRF buttons and the buttons report the test result: https://securitykeys.info/ts/test_suite.html Another PRF test app: https://passkeys.fission.app/register The PRF Passkey is real usability benefit for Chrome when logging in several times a day: PS: This is the discussion thread in the Bitwarden forum about PRF: |
Request for Mozilla Position on an Emerging Web Specification
(Requested as part of https://groups.google.com/a/chromium.org/g/blink-dev/c/iTNOgLwD2bI)
The text was updated successfully, but these errors were encountered: