[HN Gopher] WebAuthn Is Great and It Sucks
___________________________________________________________________
WebAuthn Is Great and It Sucks
Author : stargrave
Score : 22 points
Date : 2023-07-02 20:35 UTC (2 hours ago)
(HTM) web link (sec.okta.com)
(TXT) w3m dump (sec.okta.com)
| SoftTalker wrote:
| It will fail, like all attempts to replace passwords have failed,
| because it doesn't address the problem that all the orhers didn't
| address: users don't understand it.
|
| Users understand passwords. They even understand entering a
| 6-digit number that was texted to their phone. That's about it.
| It has to be that easy, or it will fail. If you have to start
| talking about public key cryptography, you're doomed.
| baybal2 wrote:
| [dead]
| kahnclusions wrote:
| Also, most of the marketing totally fails at explaining what
| passkeys are to both ordinary users AND developers.
|
| What is a passkey? Most material I've read just defines them as
| a "credential" that is "used as an authentication method."
| That's it. It's a credential. What kind? Who knows. Only when
| you arrive at the Apple developer page you finally learn that
| they are "cryptographic key pairs". And then you start digging
| into WebAuthn, get a throbbing headache, close your laptop, and
| do something else productive instead.
| klabb3 wrote:
| Agreed it's partially an education problem. But it has no more
| inherent UX complexity than passwords, at least not on the
| happy paths. People are already used to having say boarding
| passes in their "wallet" apps, so device-specific isn't that
| hard to grok. In modern countries, you also have strong
| authentication systems for banking and government errands etc,
| which are used by millions of regular people every day without
| issue, despite spooky public keys lurking underneath.
|
| I worry much more about the account recovery UX and issues. If
| you lose your phone, how to replace it? Is that replacement
| path a prime target for attackers? I'd argue key distribution
| (issuing, rotating, revoking, multi-device) is where almost all
| the subtle pitfalls are.
| artdigital wrote:
| Little question on that topic
|
| Maybe it's that all this stuff is still new but whenever
| something offers PassKey support I now add 3:
|
| - one on android
|
| - one on iOS
|
| - one in 1Password
|
| Even more fun when it's mixed with yubikeys, add primary key and
| secondary key to that list
|
| I now have a spreadsheet to write down which website has which
| keys added to keep track. Hopefully something like 1Password will
| handle that soon, but I don't want to risk losing access to my
| iCloud or Google and getting locked out. Even more confusing when
| browsers like chrome offer to save a passkey into the browser
| which is synced only within that browser (I think, exception
| being Safari)
|
| How are you all handling that?
| lxgr wrote:
| For this reason, I don't really use WebAuthN as my (only)
| second factor - yet.
|
| We'll soon be able to sync these across platforms using
| password managers, though. Android already has an API available
| for them to integrate, I believe; iOS will follow in autumn.
| aseipp wrote:
| In the next version of iOS you'll be able to use a third party
| app to handle the Passkey flow, like how a 3rd party app can
| handle the password flow today. So you'll be able to remove
| your passkey from iCloud and use the one inside 1Password
| instead.
|
| Also, I think the browser thing with Chrome is a matter of
| extension support; in Edge with 1Password Beta Extension,
| 1Password definitely takes over Passkey flows instead of using
| the (absolutely insanely confusing) Windows Hello UX. Just like
| it takes over password saving (there's an option in settings
| that shows password sync settings are controlled by the 1Pass
| extension.) So you may just need to use the Beta extension in
| your Chrome for now, and I think 1Password will take over from
| there.
|
| Basically we're moving towards a setup where you trust your
| password manager to hold onto your passkeys and then the OS
| will allow that integration. I don't know what the status of
| these features are on Android.
| toomuchtodo wrote:
| If I get locked out, I expect the ability to reset my passkeys
| (stored in iCloud primarily) with an email, just like I would
| with a password reset. Passkeys are cryptographic primitives
| replacing password strings, not replacing identity. There is a
| difference.
|
| The Home Depot mobile app does something similar already.
| Passkeys/biometrics for a persisting an iOS session, and to re-
| up a session, you get emailed a six digit code to your email.
| Why have the password?
|
| If email as identity as insufficient for your use case, ask the
| user for a government credential using Stripe Identity or
| ID.me, or doing a token amount charge on a financial account
| the user has access to (offloading the identity proofing to
| their bank) to bring their account back up to a higher
| assurance level during an access reset.
|
| I recommend recovery contacts if you're in the Apple ecosystem.
| Tangentially, setup legacy contacts as well.
|
| https://support.apple.com/en-us/HT212513
|
| https://support.apple.com/en-us/HT212515
|
| https://support.apple.com/en-us/HT212360
|
| (customer and corp IAM is a component of my work at a FinTech)
| hsbauauvhabzb wrote:
| Google Authenticator decided to nuke all my existing MFA tokens
| during a recent update/refresh of their app.
|
| I can tell you to sort your redundancy now, it's much easier
| than later.
|
| I can also tell you to avoid google tooling, they seem
| completely disinterested in support and more interested in
| market share.
|
| Google can go to hell for the time / account access I lost,
| fuck them.
| morpheuskafka wrote:
| This article is from April 2020, over three years ago.
|
| Since then, both Apple and Google have implemented WebAuthn for
| passwordless account signin. Best Buy does too.
| candiddevmike wrote:
| Still sucks to add it to your app. You pretty much have to use
| a library or you'll be maintaining all of the device level
| quirks yourself. OIDC has the same problem where the standard
| was too loosey goosey and didn't provide a true standard
| interface, leading to some special handlings for providers.
|
| IMO, folks who write standards need to write them with the best
| interests of the developers who will be integrating it, not the
| service providers.
| ajkjk wrote:
| ... Best Buy?
| toomuchtodo wrote:
| One of the first!
|
| https://old.reddit.com/r/apple/comments/xk6hiq/bestbuycom_am.
| ..
|
| Tracking: https://passkeys.directory/
___________________________________________________________________
(page generated 2023-07-02 23:00 UTC)