Allow using webauthn in places that currently require a password #4271
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #4271 +/- ##
==========================================
+ Coverage 98.71% 98.73% +0.01%
==========================================
Files 330 336 +6
Lines 7341 7414 +73
==========================================
+ Hits 7247 7320 +73
Misses 94 94 ☔ View full report in Codecov by Sentry. |
segiddins
force-pushed
the
segiddins/webauthn-instead-of-passwords
branch
4 times, most recently
from
141bf8e
to
3811143
Compare
segiddins
force-pushed
the
segiddins/webauthn-instead-of-passwords
branch
from
3811143
to
4333a23
Compare
There was a problem hiding this comment.
Looks great! I'm happy to merge this now.
I'm also interested in collecting feedback about the idea of using a cookie or the email address (once it has been entered) to trigger a request for a passkey auth. The UX patterns around how to make it easy to use passkeys haven't really shaken out yet, and I'm interested in anything we can do to make it easier and less hassle to use passkeys rather than emails and passwords.
Agreed. |
| post 'webauthn_create', to: 'sessions#webauthn_create', as: :webauthn_create | ||
| post 'webauthn_full_create', to: 'sessions#webauthn_full_create', as: :webauthn_full_create |
There was a problem hiding this comment.
Nit: could we either explain somewhere or update the names of these actions to better capture what exactly they are and what's different between them? Why isn't webauthn_create as full as webauthn_full_create?.
There was a problem hiding this comment.
I haven't taken too close of a look at the code yet, but user tested it through and this is great! 🎉
Just want to double check... if we are making webauthn a single auth factor on signin, then we are deciding that users don't need to provide another factor even if they have MFA enabled? Do you think some users would want to sign in with a username/password and then webauthn as another factor? If so, do you think there be an opt-in / opt-out option for this feature?
|
Given webauthn is using pre-exchanged public key cryptography, I think using it as a "single factor" is just as safe as traditional 2FA. It is resistant to replay attacks, phishing (by tying the relying party to the origin). I think the standard is to allow using passkeys in place of passwords pretty much everywhere I've seen? But I am open to making this configurable if there's significant prior art for it |
|
I'm happy to hear more from folks more focused on security, but my understanding is that using webauthn/passkey login is designed to be the same level of security as password+OTP. For example, here is GitHub's documentation about passkeys:
|
|
Ok cool thanks 👍 that is the sentiment that I was getting in that webauthn is as safe as password+OTP, but it felt a bit odd that if you signin with a password, you still need to webauthn if you have it enabled (I guess that makes things extra secure? 😄 ). I didn't realize that Github had something similar! |
|
I think I would describe it as "passkeys provide the security of 2FA plus a password", so if you only enter a password you still need 2FA (which can be provided by a passkey), but if you provide a passkey, you no longer also need to provide a password. :) |
segiddins
force-pushed
the
segiddins/webauthn-instead-of-passwords
branch
from
4333a23
to
03593e3
Compare
i.e. allow using passkeys as a single auth factor
segiddins
force-pushed
the
segiddins/webauthn-instead-of-passwords
branch
from
03593e3
to
20677a3
Compare
|
@jenshenny does that answer your question? |
i.e. allow using passkeys as a single auth factor
Demo: https://share.cleanshot.com/9cmkZf62