Webauthn - Introduction to passwordless authentication

Arnaud Dagnelies - Feb 12 '22 - - Dev Community

This is intended to be the first part of an article serie. If you like it, please add a reaction to encourage me to write the subsequent more in-depth articles.

For those who don't know, there is a new protocol under way: "webauthn"

You can try it out here: https://webauthn.io/

Basically, it leverages device authentication (using biometrics like touch or face recognition) to generate cryptographic private/public keys and sign in using those.

The registration flow looks like this:

registration

And once your device is registered, it can use its private key to sign in:

login

Sounds wonderful right? Well, I agree! A world without passwords is a better world.

And since the "principle" looks simple, its usage and APIs should be simple too, right? Well, not quite... The protocol itself is still fairly young and when you go to the official specifications also known as "RFC", you will face an impressive wall of text.

Most of it being technical, verbose and IMHO very challenging. Currently, printing the RFC on plain paper would produce 165 pages! Impressive right?

rfc joke

And this complexity propagates everywhere, even to the interface itself. You do not deal with normal JSON objects that you can simply send to the server, but with native byte array, exotic CBOR (Compact Binary Object Notations) encoding, a multitude of different attestation types, unclear content...

This series is about understanding this protocol better, evaluating a few libraries, implementing passwordless on one's own server, strategies for "one account / multiple devices", what is undergoing change, and so on. The next topic will be "Webauthn - the client side". Stay tuned.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .