[2.x] WebAuthn Recovery by email

[Samuel-Bie]

Please check these requirements

• [X] This feature helps everyone using this package
• [X] It's feasible and maintainable
• [X] It's non breaking
• [ ] I issued a PR with the implementation (optional)

Description

Hi dev team, i have been using the old package Larapass i guess, it was working perfectly.

What about implementing it in this also?

Code sample

<?php

namespace App\Http\Controllers\Auth;

use App\Http\Controllers\Controller;
use DarkGhostHunter\Larapass\Http\SendsWebAuthnRecoveryEmail;

class WebAuthnDeviceLostController extends Controller

and 

<?php

namespace App\Http\Controllers\Auth;

use App\Http\Controllers\Controller;
use App\Providers\RouteServiceProvider;
use DarkGhostHunter\Larapass\Http\RecoversWebAuthn;

class WebAuthnRecoveryController extends Controller
{
    use RecoversWebAuthn;

[DarkGhostHunter]

I'll add it to version 2.0.

Just to note:

1. Sends WebAuthn Recovery Email using a trait (much like SendsRecoveryEmail).
2. WebAuthn Recovery form (where the recovery sends the user to)

[dansleboby]

I think this method of recovery will add a weak security, normaly you should have two devices register with WebAuthn in case you loose access to the first one.

[DarkGhostHunter]

I think this method of recovery will add a weak security, normaly you should have two devices register with WebAuthn in case you loose access to the first one.

Not everyone has two WebAuthn compatible devices. It may be Windows Hello, but If I lose access, then I can always go back to my smartphone or even open the email on another computer.

If the user has two WebAuthn devices, it can add them manually to the app through this library.

[JustPlayerDE]

if such a way of recovery exists it is possible to bypass webauthn entirely which makes it like another password. (some email providers don't even support any 2fa)

but as long as it is not possible by default it should be fine imo

[DarkGhostHunter]

if such a way of recovery exists it is possible to bypass webauthn entirely which makes it like another password. (some email providers don't even support any 2fa)

but as long as it is not possible by default it should be fine imo

Theorically not. I mean, if you lose your phone, you can receive an email to create a new Passkey on your personal computer: login by URL, new attestation, remove old credential. You could even force the attestation at login.

[RealMrHex]

I think this method of recovery will add a weak security, normaly you should have two devices register with WebAuthn in case you loose access to the first one.

Not everyone has two WebAuthn compatible devices. It may be Windows Hello, but If I lose access, then I can always go back to my smartphone or even open the email on another computer.

If the user has two WebAuthn devices, it can add them manually to the app through this library.

Agreed, would be nice if we can provide some additional ways to gain access back to the account.

[RealMrHex]

@DarkGhostHunter is there any plan or est. time to release V2?

[DarkGhostHunter]

Not in Ethel foreseeable future. Also, I'm not looking forward to it since I can't think of a feature that I would want to add and would be breaking enough to make it a major version.

[DarkGhostHunter]

Oh, I will release v2 as pre-release right now because I just figured Laravel 11 is coming soon. Also, goodbye PHP 8.0

[DarkGhostHunter]

While publishing 2.x, I got an idea.

I plan to reuse some parts of the Laravel's PasswordBroker. Since the principle is the same (generate token -> regenerate password -> consume token), the only difference is the notification email and URL. The URL where the user will land will be left to the developer.

So you will have to:

1. Add the CanRecoverPasskey trait
2. Migrate the passkey_recoveries table

_{BTW, Passkey = WebAuthn Credentials. I blame the industry as I used WebAuthn way back they called the credentials "Passkeys".}

[DarkGhostHunter]

After giving it some thought, I'm not very confident to make this feature in a way that doesn't creates another table. I may revisit the idea in the future.