Webauthn Alternatives

webauthn reviews and mentions

• Passkeys – Under the Hood
  2 projects | news.ycombinator.com | 17 Mar 2024

  Sure, but why not preserve the option for people to use hardware keys?

  Unfortunately, both the FIDO and WebAuthN working groups seem to be dead-set on making the hardware authenticator use case as painful as possible [1] [2] [3].

  I just don't get it. Why even try to pretend that WebAuthN is a single API for both use cases when all stakeholders in charge seem to have given up on one of them?

  [1] https://github.com/fido-alliance/how-to-fido/issues/16

  [2] https://github.com/w3c/webauthn/issues/1612

  [3] https://github.com/w3c/webauthn/issues/1822

• KeePassXC Issue: [Passkeys] should never be exported in clear text
  2 projects | news.ycombinator.com | 13 Mar 2024

  I'm not trying to do callout posts or anything here, I know that the people involved are genuinely trying to do their best. I'm grateful that Bitwarden is involved with passkeys. But, for all of that gratitude, I still have to say: Bitwarden got a huge amount of attention for being the Open Source implementation of this, and Bitwarden and 1Password were both used as examples that shut down criticisms about portability, and lack of communication and clarity is a big part of how Bitwarden/1Password got used to spread what I would genuinely consider to be misinformation about the current state of the passkey ecosystem.

  It's not just that export wasn't supported, it's that this giant limitation that was in many ways the reason why people were so excited about Open implementations in the first place was quietly left unsaid.

  I really genuinely do appreciate the work everyone is doing. But at no point when Bitwarden was writing posts and releases about passkey support did anyone writing that stuff think, "people will think this means export is supported, we should clarify that."?

  It's so hard not to look at this communication and not think that these kinds of details were deliberately omitted. I'm sure they weren't! I know that emotions are wrong and that everyone involved means the best. But crud, that is how it feels.

  How many people who got excited about Bitwarden's implementation even know that they still can't export and import their passkeys? Maybe that'll be a fun surprise for them next time they try to do an import into a new account. Bitwarden's announcements didn't mention this limitation, and as a result no press coverage of Bitwarden mentioned this, and any casual observer who didn't know to go read the documentation and deliberately ask about it would come away from this coverage thinking that export was supported -- and in fact I would argue people did. People think the portability problem is solved because Bitwarden and 1Password exist.

  Needing to double-check this kind of stuff, not having transparency or open conversations about any of it is part of the regular frustration of trying to learn about the passkey ecosystem. Very often when I talk to people in industry about passkeys, I will get answers that really sound like they are addressing people's concerns. And then you dig into them, and... they don't. But that's never communicated unless you do the research. So much of the advocacy is saying stuff that is technically true, but has huge unmentioned caveats or that doesn't actually when you dig into it address the concerns that people have or is using some weird definition that isn't what most people would use.

  "Passkeys are portable now!"

  "So I can export them?"

  "Well, that depends on what your definition of portable is."

  Bitwarden never technically said that it supported export, but I'm going to go out on a limb and say that a lot of casual observers reading about portability and sync and OS-independence think that Bitwarden does support export, and Bitwarden really isn't going out of its way to avoid that impression. I mean, props for having it in the user docs, that is better than 1Password. +1 for Open Source being more transparent than proprietary software, genuinely I appreciate it. But the only reason I know that Bitwarden doesn't currently support export... is because I knew that I couldn't assume it and I knew that I needed to check the docs. It's not something that's communicated in the announcement, it's not something that's communicated in the FAQ, it's not something that's communicated in any press coverage, it's not something that's communicated unless you know what to Google search.

  ----

  > The best place to argue this “in the open” is by raising issues in the w3c/webauthn repo, or meetings, which is open.

  Here are the open issues about portability: https://github.com/w3c/webauthn/issues?q=portability

  Maybe I'm searching wrong? Here's migration: https://github.com/w3c/webauthn/issues?q=migration

  What am I missing here? I apologize if there's some thread that I just haven't been able to find, but... if this is an open process, where is the conversation happening? I don't want to be a jerk about this; should I be showing up at w3c meetings and complaining about other meetings that aren't happening there? That doesn't seem helpful to anyone, I don't see how that would be productive. But if this is genuinely happening as part of the w3c/webauthn space, then where in that space are the conversations about portability and export? What issues should I be following?

  Is the problem that nobody has raised an issue in that space? Because that's a very weird thing if true; I've been told for nearly a year that work is ongoing on migration/export. In all that time, none of that conversation ended up on the webauthn repo, the ostensibly official place for the spec to be discussed?

  This just feels like a dismissal; if the webauthn repository is where these conversation should be happening, then why aren't they happening there? This isn't Bitwarden's fault, I'm speaking broadly to anyone involved in this process -- this is a multi-company process that has been happening for months and months and months and I would love to know where those industry-spanning conversations actually exist, so that I can stay up to date on what's going on without needing to search for crumbs of developer updates on Reddit, Mastodon, and Twitter.

• Implement passkeys on our own sites
  1 project | /r/webdev | 7 Jun 2023

  I agree, FIDO and webauthn. As for implementing, here's the API GitHub link .

• Passkeys now support external providers
  2 projects | news.ycombinator.com | 6 Jun 2023

  https://github.com/w3c/webauthn/issues/1667

• What are passkeys?
  2 projects | /r/Bitwarden | 5 Jun 2023

  If you're doing something like passwordless and usernameless, then your locally stored credential has an ID that was generated during registration. This is sent as part of the authentication request, and the relying party has a way of association which credential ID's are linked to which user accounts. The credential portion is talked about in section 5.1 of the https://w3c.github.io/webauthn docs.

• Understanding Passkeys
  3 projects | news.ycombinator.com | 18 May 2023

  > Apple's passkeys do not provide attestation

  Apple has their own anonymous attestation format[1] that some (unclear which?) of their WebAuthn authenticators support.

  In principle the relying party could use this to verify the authenticity of the authenticator back up to Apple's WebAuthn root CA[2]. In practice, I'm not sure if that attestation is included by default (or whether significant portions of users opt out of it, when prompted by their browser).

  [1]: https://github.com/w3c/webauthn/pull/1491

  [2]: https://www.apple.com/certificateauthority/Apple_WebAuthn_Ro...

• Once Passkey Rolls Out, Doesn't It Negate the Argument To Keep TOTPs on A Separate App?
  1 project | /r/Bitwarden | 16 May 2023

  There is a great comment thread in the WC3/WebAuthn Github Issues (January 2022) that was pre-publication of the Multi-Device FIDO white paper that prompted all the Passkey stuff (March 2022). https://github.com/w3c/webauthn/issues/1691 The OP of this issue is rightly pointing out that Passkey/MD FIDO is somewhat broken without enforcing the devicePubKey extension. The detractors in the thread are pointing out that it's not something they can enforce.

• Yubico is merging with ACQ Bure and intends to go public
  6 projects | news.ycombinator.com | 19 Apr 2023

  The idea of authenticator hardware is inherently hostile to DIY and open source because you cannot produce or extract a keypair to generate valid attestation statements. Unless you are part of the cartel of course.

  https://w3c.github.io/webauthn/#attestation-statement

• Interested about passkeys but
  1 project | /r/Bitwarden | 4 Apr 2023

  Given the Webauthn standard, there could be more than one answer to this question, so here is a list of relevant information:

• Passage Is Joining 1Password
  2 projects | news.ycombinator.com | 4 Nov 2022

  That's a once type thing, the website is supposed to prompt you after that QR login whether you'd like to enroll your local authenticator (Chrome, Edge, Firefox,etc) after you login so you don't need to keep using the QR code.

  The concept is that many people will frequently have multiple passkeys, thus not be 'locked in' to any one sync ecosystem.

  From https://github.com/w3c/webauthn/wiki/Explainer:-broadening-t...

  > When signing in on a different computer, either the credential will already be locally present (if the computer is using the same sync fabric as the phone) and suggested by autocomplete, or else the user’s phone can be used to transmit the assertion to the computer. In the latter case, the service may invite the user to enroll a local platform authenticator for easier sign-in in the future. (Now the newly registered credential may be part of a different sync fabric, and thus enable local sign-in on other devices.)

• A note from our sponsor - InfluxDB
  www.influxdata.com | 25 Apr 2024

  Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality. Learn more →