search

f-23 / react-native-passkey

Passkeys for React Native
MIT License
131 stars 31 forks source link

Authenticating with Security Keys in V3 #41

Open syntag opened 1 month ago

syntag commented 1 month ago

Firstly, thanks for maintaining this package. It's exciting to see 3.0.0-beta released in stable. I am already starting to test it out.

Is authenticating with security keys (such as YubiKey) on iOS still supported in V3? I noticed that withSecurityKeys was removed, and it seems to favor passing authenticatorAttachment with platform: 'cross-platform' . However, that option is only available for registration (Passkey.create()).

Side question: Are there plans to support security keys on Android in the future?

f-23 commented 1 month ago

Hi @syntag,

you are right, as of V3 the security key option can be toggled via authenticatorAttachement. Since a get request does not have that field it will make security keys mandatory on iOS.

Is this something you would like to see reverted and have manual control over?

syntag commented 1 month ago

Since a get request does not have that field it will make security keys mandatory on iOS.

@f-23 From my testing, the new Passkey.get() works great on iOS allowing me to switch to security key under Other Options. The only regression with V3 is that we no longer have manual control over which attachment types to allow.

Is this something you would like to see reverted and have manual control over?

No, I don't think it should be reverted. Having both options in a single sign in prompt is an improvement. But it would still be nice if we could control which authentication methods to support. This was suggested before here: https://github.com/f-23/react-native-passkey/issues/25 I think something of the like would be a good solution

EDIT: Updated my comment after fully testing V3

f-23 commented 1 month ago

@syntag I agree, there should be an option to enforce the usage of either security OR platform key. Default should be to use both.

Since the code structure has changed in the meantime I'm not a big fan of the suggested solution in #25.

Alternatively we could expose 2 additional functions like Passkey.getSecurityKey() and Passkey.getPlatformKey(). Same for passkey creation with Passkey.createSecurityKey() and Passkey.createPlatformKey().

They will behave the exact same compared to Passkey.get() and Passkey.create() on Android. On iOS the corresponding function would force the usage of either an external or platform authenticator.

syntag commented 4 weeks ago

@f-23 +1 on your idea of exposing separate functions to authenticate with specific methods

f-23 commented 4 days ago

@syntag This should be resolved in 3.0.0-rc!