[HN Gopher] WebAuthn Is Great and It Sucks ___________________________________________________________________ WebAuthn Is Great and It Sucks Author : stargrave Score : 22 points Date : 2023-07-02 20:35 UTC (2 hours ago) (HTM) web link (sec.okta.com) (TXT) w3m dump (sec.okta.com) | SoftTalker wrote: | It will fail, like all attempts to replace passwords have failed, | because it doesn't address the problem that all the orhers didn't | address: users don't understand it. | | Users understand passwords. They even understand entering a | 6-digit number that was texted to their phone. That's about it. | It has to be that easy, or it will fail. If you have to start | talking about public key cryptography, you're doomed. | baybal2 wrote: | [dead] | kahnclusions wrote: | Also, most of the marketing totally fails at explaining what | passkeys are to both ordinary users AND developers. | | What is a passkey? Most material I've read just defines them as | a "credential" that is "used as an authentication method." | That's it. It's a credential. What kind? Who knows. Only when | you arrive at the Apple developer page you finally learn that | they are "cryptographic key pairs". And then you start digging | into WebAuthn, get a throbbing headache, close your laptop, and | do something else productive instead. | klabb3 wrote: | Agreed it's partially an education problem. But it has no more | inherent UX complexity than passwords, at least not on the | happy paths. People are already used to having say boarding | passes in their "wallet" apps, so device-specific isn't that | hard to grok. In modern countries, you also have strong | authentication systems for banking and government errands etc, | which are used by millions of regular people every day without | issue, despite spooky public keys lurking underneath. | | I worry much more about the account recovery UX and issues. If | you lose your phone, how to replace it? Is that replacement | path a prime target for attackers? I'd argue key distribution | (issuing, rotating, revoking, multi-device) is where almost all | the subtle pitfalls are. | artdigital wrote: | Little question on that topic | | Maybe it's that all this stuff is still new but whenever | something offers PassKey support I now add 3: | | - one on android | | - one on iOS | | - one in 1Password | | Even more fun when it's mixed with yubikeys, add primary key and | secondary key to that list | | I now have a spreadsheet to write down which website has which | keys added to keep track. Hopefully something like 1Password will | handle that soon, but I don't want to risk losing access to my | iCloud or Google and getting locked out. Even more confusing when | browsers like chrome offer to save a passkey into the browser | which is synced only within that browser (I think, exception | being Safari) | | How are you all handling that? | lxgr wrote: | For this reason, I don't really use WebAuthN as my (only) | second factor - yet. | | We'll soon be able to sync these across platforms using | password managers, though. Android already has an API available | for them to integrate, I believe; iOS will follow in autumn. | aseipp wrote: | In the next version of iOS you'll be able to use a third party | app to handle the Passkey flow, like how a 3rd party app can | handle the password flow today. So you'll be able to remove | your passkey from iCloud and use the one inside 1Password | instead. | | Also, I think the browser thing with Chrome is a matter of | extension support; in Edge with 1Password Beta Extension, | 1Password definitely takes over Passkey flows instead of using | the (absolutely insanely confusing) Windows Hello UX. Just like | it takes over password saving (there's an option in settings | that shows password sync settings are controlled by the 1Pass | extension.) So you may just need to use the Beta extension in | your Chrome for now, and I think 1Password will take over from | there. | | Basically we're moving towards a setup where you trust your | password manager to hold onto your passkeys and then the OS | will allow that integration. I don't know what the status of | these features are on Android. | toomuchtodo wrote: | If I get locked out, I expect the ability to reset my passkeys | (stored in iCloud primarily) with an email, just like I would | with a password reset. Passkeys are cryptographic primitives | replacing password strings, not replacing identity. There is a | difference. | | The Home Depot mobile app does something similar already. | Passkeys/biometrics for a persisting an iOS session, and to re- | up a session, you get emailed a six digit code to your email. | Why have the password? | | If email as identity as insufficient for your use case, ask the | user for a government credential using Stripe Identity or | ID.me, or doing a token amount charge on a financial account | the user has access to (offloading the identity proofing to | their bank) to bring their account back up to a higher | assurance level during an access reset. | | I recommend recovery contacts if you're in the Apple ecosystem. | Tangentially, setup legacy contacts as well. | | https://support.apple.com/en-us/HT212513 | | https://support.apple.com/en-us/HT212515 | | https://support.apple.com/en-us/HT212360 | | (customer and corp IAM is a component of my work at a FinTech) | hsbauauvhabzb wrote: | Google Authenticator decided to nuke all my existing MFA tokens | during a recent update/refresh of their app. | | I can tell you to sort your redundancy now, it's much easier | than later. | | I can also tell you to avoid google tooling, they seem | completely disinterested in support and more interested in | market share. | | Google can go to hell for the time / account access I lost, | fuck them. | morpheuskafka wrote: | This article is from April 2020, over three years ago. | | Since then, both Apple and Google have implemented WebAuthn for | passwordless account signin. Best Buy does too. | candiddevmike wrote: | Still sucks to add it to your app. You pretty much have to use | a library or you'll be maintaining all of the device level | quirks yourself. OIDC has the same problem where the standard | was too loosey goosey and didn't provide a true standard | interface, leading to some special handlings for providers. | | IMO, folks who write standards need to write them with the best | interests of the developers who will be integrating it, not the | service providers. | ajkjk wrote: | ... Best Buy? | toomuchtodo wrote: | One of the first! | | https://old.reddit.com/r/apple/comments/xk6hiq/bestbuycom_am. | .. | | Tracking: https://passkeys.directory/ ___________________________________________________________________ (page generated 2023-07-02 23:00 UTC)