Ask HN: Why is WebAuthn so slow to take off?

Yes I was thinking of the theft scenario, for remote usecases it is definitely safer. I think webauthn could be great for 2fa without phones. But there are important things missing. For example the google authenticator app has an established way to backup and sync now. There is no such manual backup and sync possibility for Windows Hello passkeys. It's all a bit new now. I suppose as a website owner I would have to let people register multiple passkeys and then the user only has to have one of them to successfully log in. Hm it might be okay. And of course Chrome already added sync support for their passkeys but you can't rely on everyone using Chrome.

> My hope is that one can bring your own provider.

Everyone always says this, but it's always just a hope. And given the history of the FIDO Alliance standards on backing up keys, and given the players involved, I think it's reasonable to say that people just straight-up should not use passkeys until it's not a "hope" and backup/migration actually works as part of the standard itself.

Note that this doesn't mean:

- Migration is allowed but not mandated. Migration must be built into the standard or else vendors will eventually introduce lock-in in the future under the guise of security. It can not be optional.

- Migration is allowed through special contracts using some locked-down behind-the-scenes company-to-company transfer. I need to be able to sit down on my Linux computer with an Open Source piece of software that I compiled and I need to be able to move the keys from my iCloud account to that software.

I want to assume good faith from the FIDO Alliance standards, but some of the messaging around this has been straight-up deceptive. 1Password advertised itself as solving the portability problem, but last I checked it doesn't. 1Password is device agnostic but does not allow exporting your passkey information to another account.

I've run into so many scenarios where advocates straight-up misrepresent what portability means that I now give really specific tests instead, because otherwise the conversation doesn't go anywhere. I keep running into advocates that tell me "it's usable today" and in the same breath tell me "it's early days, we'll get to the portability stuff later."

So the specific criteria is: if I can't compile my own software on a Linux computer and move my "keys" or whatever authentication mechanism is tied to that account into that software as a single operation without logging into and re-validating every single account individually or adding another authentication mechanism to each account, then it's not portable and I'm not using it. It needs to specifically allow for that, and there needs to be a real working Open Source project that I can run today that allows it. Otherwise, it's not actually portable today. Furthermore, if I do compile my own software and move in those keys and then I go to log into a website and a service refuses to let me log in because I've failed a hardware attestation check and I need to use an Apple device to log in -- then it's not portable. That cannot be something that the spec allows or encourages, or it's not actually portable.

But (and as always, I would be thrilled to be proven wrong about this) the spec itself allows for that kind of behavior with hardware attestation with basically no downside other than a "please be a nice company and don't do this" warning, and noise from the FIDO Alliance advocates I've seen online is that they don't want to mandate a specific migration format in the spec or make migration a requirement for companies that want to advertise that they implement Passkey; they want to leave that process up to individual companies under the "hope" that those companies will do the right thing.

I'm not just not adopting Passkeys, I'm actively discouraging adoption of the standard until that's fixed. I'm not signing into a locked-down ecosystem under the hope that it might become more open later in the future, maybe. There's a version of Passkeys that I would be excited about and that I would build support into my projects for, but it's not the version that exists today.

Which the masses were never ever ever going to adopt, not in a million billion years.

I use 1Password for TOTP. It has a screenshot option to scan the QR code during setup. It's handy.

it seems I entirely missed the red text on Firefox that says "Your browser does not implement Conditional UI" so what Firefox did was to probably prompt for the old WebAuthn and I guess that's Windows Hello which makes a lot of sense to me. I wonder whether Firefix will also show me the QR code signin as the default on desktop once they implement it. Like you said...in my opinion this makes no sense, obviously as a desktop user using a desktop site I want to remain on my desktop hardware device.

Or am I misunderstanding you and you want to log in on desktop with the same passkey that you generated on mobile? I think that is never supposed to work, it's supposed to be tied to the device.

As I recall it, this is more or less what Mozilla wanted to do with Persona back in the day. That didn’t take off, but the approach with WebAuthN is perhaps an evolution of it especially in terms of making public key crypto user-friendly. Of course, the challenge is different in a multi-device world when you want your phone, tablet and laptop to all use the same login without using a hardware key.

If the password is properly managed, how does it matter if its hash leaks?

> Standards enable flexibility which enables possibility.

what?! standards are the opposite of flexible. by definition.

here's something that is better than webauthn, published and battle tested since 2018, and nobody cares: https://hacks.mozilla.org/2018/11/firefox-sync-privacy/

it have all the advantages of webauthn, plus it is truly on-device, no middle man, you can easily recover keys simply by having more than one device... no server can read or data. only silly thing is that firefox insists on shipping with the auto-fill option enabled by default.

only feature missing that this thread seems to brings up is support for external usb devices (which i personally don't care for, but is probably on the roadmap)

--

i'm blocked from adding replies, so replying here:

> it does passwords not keys

well, that is what worked on 100% the internet in 2018 (and today, ha!). But it is a data store where you have full control. ironically this is what gives true flexibility, a well designed system with fully open source implementation and apis, not spec by ad vendors as claimed before. anyway, The existing browser implementation does passwords (and bookmarks!!!) but you can extend to be a distributed yubikey if you'd like. nothing is blocking you. as I said, it is something better than a hardware store, better than a cloud broker for your identity, etc... but nobody cares. And now that FIDO has marketing from the big Advertisers everyone wants it yesterday.

1Password has passkeys in beta.

Cannot be phished by currently known methods. Trust me, sooner or later they will find a way. Either through specific implementation issues, workarounds etc. Remember when everyone shrugged off concerns about sms 2fa codes?

recovery is easy. i'm a customer of all these companies so i have faith i'll be able to convince them i'm me if it comes to that. and i keep a handful of hardware keys to make self-recovery easier if i lose or break one. most of my practices are to mitigate risks i personally know how to mitigate, and doing it while causing myself as little headache as possible. being able to auth using touch id on my personal laptop is great for day to day usage.

It seems that they are set up to be like this already. At least Chrome+Android treat these passkeys like any password and they can be synced and accessed via API. I already see my passkeys in Chrome btw. https://developers.google.com/identity/passkeys/supported-en...

This sounds pretty good to me, this is therefore like a regular old password except it's a cryptographic key that I don't have to remember and it's secured by whatever device PIN or face unlock that the device has. I think this might have a chance to succeed. Unfortunately the UI popups they implemented are not good, they need to remove the "usb security key" option and hide it under an advanced options tab. Anyone who uses that is an expert, please only prompt for the default device verification, like Windows Hello or face unlock on an iPhone.

Also the fact that Chrome by default prompts for a QR code + mobile signin flow is a bit crazy to me, it seems they are very confident that everyone who has a desktop wants to login via phone. Which makes no sense to me, do I really want to use my phone to login to all my desktop applications? I don't think so, maybe younger people who only have laptops + phones do this but still.. why would this be the default, surely Windows Hello or whatever MacOSX uses on desktop is still faster than picking up my phone constantly. I tried it and I was very surprised that it almost worked flawlessly. It asked me to automatically turn on my bluetooth, it connected to my PC's bluetooth within seconds and actually created a working login for my desktop via my mobile phone. It's impressive that this worked... except for the part that the "sign up" popup on desktop never went away automatically!

> with the slightly added benefit that I don't have to worry about a sites shitty security practices.

I mean, here's the thing, I already don't have to worry about a site's shitty security practices because I'm using a random password for each account. Sure, my email could be leaked, but it's available on my CV anyway so, uh, congrats?

You also won't have access to the TOTP backup of emergency codes.. If you get hit on the head or have the trauma of your life you might not have a password.

These are tradeoffs that people use to balance security. Many people will lose to a sim swap despite not needing access to their life savings while on vacation with absolutely no proof of identity and a fallible memory.

In other words, having a hardware key is not a real barrier to use.

Right, but that gets rid of the objection: there’s no second thing to buy and carry around, it’s faster, and it’s more secure than the alternatives.

The average user is not typically subject to remote attacks. There are exceptions of course. However we should design the default security experience for the threats the average user faces. Most users aren't being targeted by the NSA, etc.

Unless you mean the webserver they use being attacked, but that is just as vulnerable for 2fa. The only difference is the user cannot screw up and use the same credential on multiple websites with 2fa.

Don’t most people that this this “correctly” use a password manager which stores passwords on the same device as stores the totp token and generates the one time code? Doesn’t this effectively turn your password into a device that you have, effectively turning the first factor (something you know) into something you have, while the second factor (something you have) is the same thing you have from the first factor (your phone)?

Even people that do this incorrectly and reuse passwords, probably also store their passwords in their browser, which is on the same device as their authenticator app. So I would guess by far majority of people are only using something they have twice.

Here's the concept. Perhaps we have the order wrong. Maybe the physical factor should be the primary factor. The second factor should never be transmitted, but rather is used to unlock the physical factor.

Well all the major browsers are on board—it’s really in the hands of the dev/product community now.

The "something you have" shouldn't be easily replicated. If someone could capture your SSH key passphrase and copy the ssh private key then it's not an actual 2FA. a device like a Yubikey won't let you extract the stored keys, so the only way to gain access is to steal the physical key and that makes the attack much harder to do stealthily.

Even if they snatch it unlocked they still can’t login because there’s an extra biometrics check required for WebAuthn

It is still 2FA. Something you have (passkey on a device) and something you are (LIDAR map of your face and pulse).

Yes, but in order to enable it, they require that you enable an app first.

I can only assume that this tactic is usually an attempt to maybe get your phone number, depending on which phone-based method you choose. Which is especially weird for ProtonMail.

Spin up a VM to use ?

I hear you, but the not so cool thing about SMS is how trivially easy it is to clone a SIM. My level of trust for information passing through the SMS channel is near-zero.

Also - thanks to that FIDO2 does not seem to be usable with Microsoft's MS365 services [ Teams, Outlook, Excel etc ] on Android or iOS. there's no way to provide pin for the security key, regardless if it's plugged in via the USB port or used via NFC.

https://learn.microsoft.com/en-us/azure/active-directory/aut...

bummer

Those bruteforce protections aren't really worth a lot in practice. If you have physical access to the device, you will eventually be able to find a way to glitch it - as things like Cellebrite have already proven for the iPhone.

It's basically impossible to answer that hypothetical right now, because it depends entirely on the choice of client software. And that's still something that's evolving; it's just that Apple/Google/MS have the most prominent implementations here.

If you have an iPhone and a Mac? No, your iPhone will log in via iCloud keychain. You use touchid/faceid to auth as usual.

If you have an Android phone and a Chromebook/use Chrome? No, it will get sync'd implicitly. You use whatever the equivalent of touchid/faceid is to auth, as usual.

If you're using some third party, pure-software, syncing solution? No, probably not. For example, existing password managers will probably just store the key material, encrypt it, then sync across devices. Again, pure software solution. You use 1Password on Windows 11 and also on your iPhone? You'll probably be fine. (Note: this is hypothetical, because 1Pass doesn't support it yet, but this is probably how it will shake out.)

If you want to login with your Chromebook using a key it has generated and not export/sync the key, and you also have an iPhone at the same time you want to login with? Yes, you will need multiple keys, one for each device, and you will need to provision them.

Realistically this is also a change to login flows on the server as well, so there's work to be done for the UX. For example many server-side auth packages are still adopting Passkeys into their flow, they need to change their schemas and frontends. One change to explore e.x. is you can ask the user after registering with WebAuthn is to register other devices, if they have them. Whether or not that's a workable solution remains to be seen.

Sorry if it wasn't clear:

If you logged in to HN using Safari on a Mac the private-key (a.k.a "password") got chucked into your keychain as part of the account creation flow and is synced across all your iCloud devices.

So on your phone when visiting the HN login page you'd just be prompted for a fingerprint by TouchID and in you go. Actually quite seamless. This would be what 90%+ of users experience as normal people don't fiddle with defaults.

I don't use Windows but they have some sort of iCloud Passwords thing for Windows now too apparently. Just dipping their toe into slowly making it cross platform.

It becomes less seamless and more of a hassle when you are using multiple keychains or 3rd party apps which probably a lot of people here are. What I described is that case, when you have both an Android phone and an iPhone and they are completely sequestered from each other (maybe personal and work?).

This depends on the implementation.

If you are in Apple world, your keys are synced between iOS and macOS (and saved in Secure Enclave, so you need TouchID/FaceID to complete flow.) In 'Google' world, you can use them between Android devices and Chrome browser.

However, if you access from unsupported app/device (e.g. use Apple Passkeys and want to access from browser on Linux machine), you can always just scan QR code with phone, and use it to log-in.

You can try it on https://www.passkeys.io

Oh, got ya. In that case it's even better to use the same app for authentication. I though mobile app was not an option for that bank.