Implement Passkeys/WebAuthn

[basskitten]

Requirements

• [X] This is a feature request and not a bug report. Otherwise, please create a new bug report instead.
• [X] Please check to see if this request (or a similar one) already exists.
• [X] It's a single feature. Please don't request multiple features in one issue.

Describe the feature you'd like

Please implement passkeys aka webauthn for Lemmy. It will make the sign in experience better and strengthen security.

https://webauthn.guide

[lionirdeadman]

This would need support in the backend first so transfering there.

[Nutomic]

What is this and why would it be beneficial for Lemmy?

[basskitten]

Passkeys are the new standard to authenticate on the web.

Passkeys are a safer and easier replacement for passwords. With passkeys, users can sign in to apps and websites with a biometric sensor (such as a fingerprint or facial recognition), PIN, or pattern, freeing them from having to remember and manage passwords.

(copied from passkeys.com) ironically I’m pasting this on GitHub, where I just signed in using .. guess what .. a passkey

[Nutomic]

Sounds like this is a commercial product from some company, no thanks.

[CoelacanthusHex]

Sounds like this is a commercial product from some company, no thanks.

Webauthn is a W3C recommended standard and a part of another W3C standard FIDO2. Passkey is only a type of FIDO2, it was implemented by not only commercial companies but also open-source projects such as BitWarden/Vaultwarden. And there are many other types of FIDO2 devices, some were made by commercial companies like Yubikey by Yubico, and others were made by the community and open source, like Solokey, and OpenSK.

https://www.w3.org/TR/webauthn-1/ https://www.w3.org/TR/webauthn-2/

[CoelacanthusHex]

In other words, Passkey is often just a business term used by commercial companies to promote their FIDO2 Passwordless implementation. For example, GitHub and Google call all FIDO2 passwordless devices as Passkey and call all 2fa FIDO2 devices as Security Key, but in tech, these things just use FIDO2/WebAuthn API, they all are FIDO2 devices, just use it in a different way. In tech, those should all be called Security Key, there is no Passkey in tech terms.

[foss-]

I think closing this can probably be considered a mistake. On the same day as this issue was closed, additional context has been provided elaborating on the details, but no further response happened for several months. Can this please be re-considered and if found useful, please re-open the issue.

[dessalines]

If someone wants to work on this, they're free to.

[dessalines]

Can re-open if someone wants to work on this.