nikosdion
commented
6 years ago It looks like that the only browser supporting this is Microsoft Edge on Windows 10. However, I was wrong about the implementation status. Even Edge is not implementing the specification but an earlier draft thereof. The official advice from Microsoft is "use a shim" which is problematic as it ties the API to Edge's older specification.
On top of that, the authentication is tied to a single device since a secret key is stored in the Trusted Platform Module (hardware or software) of the device. This would require us to allow the user to manage multiple login devices per account which is rather problematic from a UI point of view.
Therefore I am killing this feature until that time when all browsers get their acts together and support modern, passwordless logins in a way that makes sense.
The W3C Web Authentication standard, formerly known as FIDO 2.0, allows you to authenticate a user using strong cryptography, securely managed by the host device. On Windows computers this would be using Windows Hello which, in turn, can make use of biometrics (fingerprint scanners, near-IR face recognition cameras) or secure hardware (PIV / CCID smart cards) etc. This provides a frictionless and secure login experience.
At the time of this writing, W3C Web Authentication is only fully implemented in Microsoft Edge. Google Chrome and Firefox have implementations of an earlier version of the standard. Implementing and testing on Microsoft Edge (without the
ms-prefix) would future-proof the code for other browsers.We need to evaluate whether this is something that can be implemented as a login experience in SociaLogin or if it would fit better in the context of Two Factor Authentication in LoginGuard (or both?).