1. 18
  1.  

  2. 5

    but passkeys aren’t so complex that it’s unreasonable for people to know what’s going on

    Yeah, I guess compared to WebAuthn with FIDO2 tokens, but if you are not familiar with that, it is still insanely complex for the purpose… Apparently WebAuthn, even with all its extensibility, wasn’t flexible enough to also (transparently) accommodate passkeys :/

    It was a big mistake not to properly integrate this in browsers like Basic/Digest auth, or even using something like <keygen> where one doesn’t require any JS in the browser at all to make it work. Also, why not limit this to modern cryptography, still all this legacy!

    Negative algorithms, loving this:

        pubKeyCredParams: [{
          type: "public-key",
          alg: -7
        }, {
          type: "public-key",
          alg: -257
        }],
    

    Matthew Green) wrote about this almost 10 years ago, nothing improved.

    1. 7

      For what it’s worth, FIDO2 tokens aren’t any more complex. What’s new, and that has been developed to improve the user experience when using passkeys, is the non-modal UI.

      Most of this code would work for regular FIDO2 authenticators all the same, except that the author disables their availability by setting authenticatorAttachment: "platform" in the authenticator selection, which limits authenticators to those that are provided by the platform, that is, passkeys. Without it, you could just as easily use authenticators that support client side discoverable(resident) keys as well. And for many services, having client side discoverable keys might not be that important. It is needed if you wish to support passwordless login - that is, having your authenticator be your only factor. But if you’re just using it as a second factor, you can support tokens that don’t support client side discoverable keys with a bit of extra effort, namely storing 64 extra bytes for each authenticator, and providing a list of authenticator IDs and their extra data when asking for authentication.

      I’m a bit annoyed that the author specialized this for purely passkeys, when just a tad more effort would generalize it.

      Though I still think you should be using a library for this. There’s a bunch of ways to get it wrong, and it’s worth using a library to avoid most of them. I especially like the py-webauthn library, as it only has 4 methods that you use. You still have to deal with data (de-)serialization, but that isn’t too difficult.

      Some additions: As for a JS-less way, I’ve filled an issue on this a while ago, but it isn’t moving quickly, both because nobody is willing to dedicate time to this, and there are some complexities involved with marshaling binary data on the web.

      Basic/Digest auth is probably not happening any time soon, as WebAuthn requires a challange-response, and that doesn’t have a precedent with the Authentication header use AFAIK.

      1. 2

        I’d up-vote your response multiple times if that were possible!

        Some additions: As for a JS-less way, I’ve filled an issue on this a while ago, but it isn’t moving quickly, both because nobody is willing to dedicate time to this, and there are some complexities involved with marshaling binary data on the web.

        Upvoted it there as well. Reading my way through :)

        Basic/Digest auth is probably not happening any time soon, as WebAuthn requires a challange-response, and that doesn’t have a precedent with the Authentication header use AFAIK.

        Digest is “challenge/response”, maybe not exactly in the way that would be required for fido2/webauthn/passkeys, but I guess also not that different either: https://datatracker.ietf.org/doc/html/rfc7616

        1. 1

          Digest is “challenge/response”, maybe not exactly in the way that would be required for fido2/webauthn/passkeys

          Oh, I mistook it for Token auth. Looking over it, yeah, something resembling that could be done with webauthn, though only when using client side discoverable keys, which is a tad annoying as hardware keys usually have a fairly limited storage for them, and usually can only store less than 100. Enabling it for non-resident keys would require server to know what user is trying to log in before issuing a challenge, which would require one more roundtrip, and I’m not sure if that’s viable.

    2. 3

      What are passkeys? I think the blog post doesn’t give any explanation whatsoever.

      1. 6

        Essentially what Apple, Google and Microsoft decided to call platform controlled FIDO2 keys. Their plan is to have them backed up on the cloud in some way so they could be synced between devices, to make using them for end users easier. More information on https://www.passkeys.io/

        1. 2

          Thanks a lot!

      2. 1

        If you’re interested in this sort of thing, we’ve created a a JSON signing library in Go and Javascript.

        https://github.com/Cyphrme/Coze

        We’d love to see it used more.