0

Security Noob here. I am trying to build a secure passwordless login mechanism for my webservice.

The authentication mechanisms

My idea is to encourage the users to use the following two login methods:

  1. WebAuthn with a FIDO2 token (ideally with biometric security, so something like a VeriMark Guard or a YubiKey. Smartphones also nowadays also offer Face-ID and fingerprint sensors)
  2. Public Key Authentication like SSH/GPG. The users only need to have their backup public key available somewhere, maybe also published on a keyserver. While the private key remains on an encrypted device, or another hardware token in a different geographical location.

WebAuthn is very useful for registering and logging in on a daily basis, but in case of loss or damage it fails.

I am looking for existing best practices in that domain, regulations or just examples that have done something like this before.

In GitHub and GitLab it's possible to e.g. clone repos via SSH authentication, but not logging in on the websites. Why is this seemingly never possible?

Why is most prominent recovery procedure to input a (usually quite short) recovery code e.g. "2957174". This is even more unsafe than having a password?

And yes I am aware that not everyone has access to the required hardware, so password still login still must be possible.

Improve this question
2
  • That recovery code you mention- do you mean to be sent to the user’s email, or for them to remember like a password? Commented Nov 4, 2024 at 20:27
  • for example it's possible to generate Back-Up-Codes for google accounts: myaccount.google.com/two-step-verification Commented Nov 4, 2024 at 20:36

1 Answer 1

Reset to default
2

First off, WebAuthn is public-key authentication. The full title of the W3C WebAuthn specification is “Web Authentication: An API for accessing Public Key Credentials”. Another option for public-key authentication in the browser is mutual TLS where both the server and the client present a certificate and prove ownership of the corresponding private key by signing a hash of the TLS handshake messages. Browsers do not natively support the OpenSSH or OpenPGP protocol. It's possible to make this work with JavaScript or browser extensions, but you should have a very good reason for using a third-party implementation over one of the native solutions.

As to recovery procedures for WebAuthn: The standard solution is register multiple authenticators. If one is lost or damaged, the user can switch to another. There has been a proposal to integrate a proper backup procedure into the WebAuthn protocol, but as far as I'm aware, this is still at an experimental stage. So in practice, the solution is to either require an additional authenticator or employ a completely separate backup procedure. For example, you might offer a long random code which users can (securely) store to recover from authenticator failure.

Note that the short Google codes only replace the second factor in 2FA authentication, and I'm fairly sure the account will quickly be blocked if Google detects multiple failed attempts.

Improve this answer
2
  • The problem is that registering multiple authenticators with WebAuth does not allow adding security keys without having them at the physical location because the "ceremony" requires the key to respond to the challenge of the Relying Party. I want users to spare the hassle of bringing the key each time they want to register or to remember/store a reset token each time they register on a new website. Commented Nov 4, 2024 at 23:25
  • @wahok: Yes, this problem is what the linked proposal by Lundberg and Nilsson addresses. But it hasn’t been standardized at this point. The WebAuthn specification still explicitly states that registering multiple authenticators is the only backup option. Sure, it’s inconvenient, but I’m not sure it’s really a major problem. For example, if the OS supports passkeys, then it’s possible to have one key directly in the OS and a backup key on the phone. So you may not actually have to carry around two dedicated devices. Commented Nov 5, 2024 at 0:06

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.