3581: Web Authentication (passwordless login matching private keys on phones to public keys on websites being logged into) [passkeys]

ID	Project	Category	View Status	Date Submitted	Last Update

3581	Composr	core	public	2018-04-10 19:18	2024-07-25 21:41

Reporter	Chris Graham	Assigned To	Guest
Priority	normal	Severity	feature
Status	new	Resolution	open

Summary	3581: Web Authentication (passwordless login matching private keys on phones to public keys on websites being logged into) [passkeys]
Description	There's a new W3C "web authentication" spec, that has moved to candidate recommendation stage. It will be a way of logging into sites direct from your web browser. Update tut_webapp to reference the specs.
Additional Information	It's coming soon to Firefox and Edge.
Tags	Type: Security, Type: Standards compliance
Attach Tags	(Separate by ",")

Time estimation (hours)	32
Sponsorship open

Date Added	Member	Amount Sponsored

Chris Graham 2019-03-04 18:27 administrator ~5930	https://venturebeat.com/2019/03/04/w3c-approves-webauthn-as-the-web-standard-for-password-free-logins/

Chris Graham 2019-06-27 15:37 administrator ~5995	I'm hoping this tech will be a Facebook Login, OpenID, and oAuth killer (for login purposes). Then we can move to a web standards approach, and even remove Facebook login support.

Chris Graham 2019-07-30 23:13 administrator ~6062	Looking at the tech, I can see this is a 'passwordless login' kind of technology, and not an identity technology. So it won't generate a username, won't provide your e-mail address, etc. I think realistically this means it's not a Facebook Login competitor - it's not going to be able to provide one-click registrations.

Chris Graham 2021-02-04 21:34 administrator ~6936 Last edited: 2021-02-04 21:37	Good articles: https://www.vegard.net/webauthn/ https://webauthn.guide/

Chris Graham 2021-02-04 21:40 administrator ~6937	I have a feeling this tech will be stillborn. It's complex to implement, needs to work seamlessly across many new integration layers, and it seems to be anti-2FA - it's not trying to supplement passwords, but remove them. That means access to your phone+unlock-code becomes a key to everywhere. I think regular 2FA is a better bet, then we can implement this if it looks like all the big players are adopting it.

Chris Graham 2022-09-27 17:18 administrator ~7528	Here is the draft version of the webauth spec: https://w3c.github.io/webauthn/ There is also another spec which allows login using encryption keys: https://w3c.github.io/vc-data-model/

Chris Graham 2024-07-25 21:41 administrator ~8954	The Passkey launch by large companies has largely been talked about as a failure. I haven't time to dig into that now, but there have been many standardized technologies over the years that just haven't panned out and this may be another one of them. Look at adoption/success rates before seriously considering implementing this. What seems to be getting popular instead is reframing regular username/password login as "Log in with email", and then having "Log in with Google" etc as equal top-level log in choices (as opposed to alternative log in forms).

View Status	Private (for security issues or disclosing of private information; if you submit as a guest, you will not be able to see your submission)
Note
Upload Files Maximum size: 32,768 KiB	Attach files by dragging & dropping, selecting or pasting them.
You are not logged in	You are not logged in. This means you will not get any e-mail notifications. And if you reply, we will not know for sure you are the original poster of the issue.

Date Modified	Username	Field	Change
2018-04-10 19:18	Chris Graham	New Issue
2018-04-10 19:18	Chris Graham	Tag Attached: Type: Security
2018-04-11 01:15	Chris Graham	Relationship added	related to 974
2019-03-04 18:27	Chris Graham	Note Added: 0005930
2019-03-04 18:28	Chris Graham	Relationship added	related to 1387
2019-06-17 18:40	Chris Graham	Tag Attached: Type: Standards compliance
2019-06-27 15:37	Chris Graham	Note Added: 0005995
2019-06-27 17:38	Chris Graham	Tag Attached: Roadmap: v11
2019-06-27 17:39	Chris Graham	Tag Attached: Roadmap: v12
2019-07-30 23:13	Chris Graham	Note Added: 0006062
2019-07-30 23:13	Chris Graham	Tag Detached: Roadmap: v12
2019-07-30 23:13	Chris Graham	Tag Detached: Roadmap: v11
2021-02-04 21:34	Chris Graham	Note Added: 0006936
2021-02-04 21:37	Chris Graham	Note Edited: 0006936
2021-02-04 21:38	Chris Graham	Summary	Web Authentication => Web Authentication (passwordless login matching private keys on phones to public keys on websites being logged into)
2021-02-04 21:38	Chris Graham	Sponsorship open	0 =>
2021-02-04 21:40	Chris Graham	Note Added: 0006937
2022-09-27 17:18	Chris Graham	Note Added: 0007528
2022-10-06 00:01	Chris Graham	Description Updated
2023-12-10 16:13	Chris Graham	Relationship added	related to 5482
2023-12-10 16:18	Chris Graham	Relationship added	related to 3649
2024-07-25 21:38	Chris Graham	Summary	Web Authentication (passwordless login matching private keys on phones to public keys on websites being logged into) => Web Authentication (passwordless login matching private keys on phones to public keys on websites being logged into) [passkeys]
2024-07-25 21:38	Chris Graham	Relationship replaced	has duplicate 5482
2024-07-25 21:41	Chris Graham	Note Added: 0008954

View Issue Details

Sponsor

Relationships

Activities

Add Note

Issue History

related to	974	Resolved	Chris Graham	Composr non-bundled addons	Implement oAuth login framework
related to	1387	Not Assigned	Guest	Composr	2-factor-authentication overhaul
related to	3649	Not Assigned	Guest	Composr	2-step login
has duplicate	5482	Closed	Chris Graham	Composr	Implement passkeys