nailer 14 days ago

webauthn is a silly name, it stands for web authentication.

A company recently released a product on HN which seemed to be a thin wrapper around webauthn.

So I thought I'd show HN this demo (not mine) so people know what you don't need any software to authenticate users, simply using Windows Hello & TPM, Mac TouchID and Secure Enclave, or Android whatever and TEE.

When you register, the website makes a keypair, TPM/Enclave/TEE store the private key, the website remembers the public key.

When you log in, you use your biometric or USB device to access TPM/Enclave/TEE and sign a message for you. The website knows it's you because it has your public key. The private key never leaves your TPM/Enclave/TEE.

So yeah, this is part of the web now. You don't need to pay someone to use it.

  • flangola7 14 days ago

    How do you back it up offline?

    • nailer 13 days ago

      You can’t. I imagine when you get a replacement or additional device you manually reconfirm your email and get issued another keypair, so all subsequent logins to that website just use your face or finger or whatever.

      • bewo001 13 days ago

        That's the thing that I find unconvincing about webauthn. There seems to be no other way than to associate several key devices for every website you are using if you are concerned about losing a key device (or get a new phone, new laptop w TPM).

        • nailer 13 days ago

          Totally understood - you have to do it once per website per device but I get that's still a hassle. That said it doesn't have the UI quirks that (even good) password managers have.

        • DANmode 13 days ago

          Only registering new "serious business" accounts while near your second master key is easier than it sounds to us today.

quickthrower2 12 days ago

On iOS would like to use bitwarden but no it is activate keychain (don’t want to complicate bitwarden so no), external device or QR only.

SquareWheel 14 days ago

It asks me to enter a "security key" into my USB port, which I do not have. Is that the expected behaviour? Both Chrome and Firefox on Windows.

  • nailer 14 days ago

    Does your laptop/PC have a built-in TPM module? Ie. do you log in with Windows Hello? If not you'll need a security key.

    • SquareWheel 14 days ago

      Desktop PC with a 12th gen Intel CPU, which has a TPM 2.0 module. I don't use Windows Hello though.

      So are you saying I need to change how I log into Windows to be able to use this website / security method? I didn't really trust Windows Hello because of all the junk they bundle with Windows now. I just assumed it had some angle to it.

      I'll have to do some more reading into how this works. So far this seems much more complex than a password though. If the browser is just generating a keypair and sharing the public key, you'd think that would be possible without any specialized hardware chips or USB keys.

      • nailer 14 days ago

        You don’t need to use windows hello, you should be able to use TPM with a Fido2 key or similar.

        Difference is the private key can never be read again. It can only be used to sign things.

jsdeveloper 13 days ago

can anyone explain how one would log in webauth if he has lost his device and signing from a different device? will it work or his account is lost forever ?

  • jbverschoor 13 days ago

    It isn’t described anywhere. Soo probably a password reset by email

    It’s a solution that was long overdue, but they didn’t account for multiple devices and application.

    It’s pretty shit tbh. Was looking forward to using it, but I’ll stick with random characters

  • account-5 12 days ago

    You can't because the certs are on the device in a secure enclave. Unless you let Google/apple/Microsoft back them up to their cloud. Then you need to hope you don't lose access to that too when you're device was lost. Or you can just have multiple devices/security keys in case this happens.