A demo project for implementing WebAuthn passwordless authentication.
Warning
This repo should not be used as a base for production code, it has some security features turned off for demo purposes, eg.:
- The backend doesn't require user verification, since my Android device doesn't support it for NFC keys, which basically means the authentication process will pass with just 1 factor.
- The backend doesn't require attestation, because PyWebAuthn doesn't support the attestation format provided by Android devices, so the user might register with a device that's not trusted.
- Multiple users can register and log in with the same authenticator, this is so I can demo creating multiple accounts with my limited set of hardware, in production this should not be allowed.
- There's no UI for naming authenticators, server supports it though
- Install docker and docker-compose
docker-compose up
Linux permissions
On Linux you might also want to make containers run as your user, so they don't create files owned by root:
create a
.env
withexport UID=$(id -u) export GID=$(id -g)
add
user: "${UID}:${GID}"
toclient
andserver
services indocker-compose.yml
source .env
before runningdocker-compose
in any shell
-
Standards and specifications
-
Developer resources
-
Articles and videos