Webauthn support

[m1guelpf]

Would you be interested in a PR that adds webauthn (Security Keys and TouchID) support to Fortify and Jetstream? Would be awesome to have something like this out of the box.

[owenvoke]

This would be awesome! I had thought of PRing this earlier, shame that so few sites support WebAuthn at the moment. 👍🏻

For anyone interested, there's a good list of Dongles and websites that support them at DongleAuth (repo is here if you want to add any sites). I've personally had experience with SoloKeys and YubiKeys.

[litvinjuan]

What would be the benefit of having it supported first-party rather tan creating and installing a third party package?

[m1guelpf]

@litvinjuan First thing that comes to mind is increased adoption, similar to the already existing two factor authentication scaffolding. Also, having this in Fortify/Jetstream mean we could provide an UI that fits your application out of the box, which a package could not easily do.

[RobertBoes]

This would be great! I think multiple keys per user should be supported too. I own multiple keys, one I take with me and another one as backup, so I register both keys with web apps. Another use case would be for a user to register a physical key for desktop/laptop use and registering their phone for mobile use.

[kohenkatz]

In addition to the already-mentioned security keys and Apple TouchID, Windows Hello also supports Webauthn in all major browsers.

[m1guelpf]

And apparently (found while looking up what Windows Hello was), it also includes FaceID on the new iOS.

[stefanzweifel]

The larapass package might be a good starting point for such a feature.

[brysonreece]

This would be a game changer for me; I currently have an NFC tag implanted in both of my hands and the ability to log in to my Laravel sites with a swipe of my hand would be 🤯

[MarkusBiggus]

I've been looking at digital signing. Not interested in loading my documents into a cloud document signing service that will cost more money. I already pay for infrastructure, something like this would allow a digital signing method direct into my app.

[m1guelpf]

@MarkusBiggus I feel like we're talking about different things. Webauthn is a web authentication protocol, which aims yo complement traditional authentication (usernames and passwords). You should treat webauthn tokens as a second factor of authentication (or a way of authenticating the user), but I don't think it's a good idea to use it as a proof of identity when signing documents, similar to how you wouldn't use username/password for that.

[francislavoie]

Actually @m1guelpf WebAuthn can be used to be the first factor as well. It supports passwordless auth.

[MarkIvanowich]

I am personally against fully replacing two authentication methods with one (passwordless). However I'd like to propose an idea to act as a middleground:

1. Similar to the "remember me" token, when a user fully authenticates with a password and webauthn once, they are given a "returning webauthn" token.
2. When accessing the login page from the same browser, this token is recognised and the user is partially authenticated, waiting on the key to confirm.
3. If the incorrect key is used or key request timed out, the token is invalidated an event is fired for auditing.

A password would only be required on a new browser. Cookie theft of the token would mean nothing without the WebAuthn key. If you suddenly see that you require a password, then it's a hint someone tried to access your account from that device.

[m1guelpf]

Oh, I was proposing this as just an alternative to 2FA once you've entered your username and password, but that seems super interesting as well

[taylorotwell]

Probably won't be taking this on in the near future. Feel free to build into your own application. The more opinions we take on the more maintenance burden and complaints I have to deal with 😄

[tillsanders]

Of course Fortify shouldn't become bloated, but to me it looks like WebAuthn will replace TOTP sooner rather than later. Adding support for this one API would result in support of all kinds of mechanisms, be it Yubikeys, FaceID, TouchID, Windows Hello or SoloKeys.

Right now, if I want enterprise-grade 2FA, WebAuthn is the way to go and more convenient than TOTP. But there aren't any big libraries we could depend upon in the long term. Laravel stepping in and making WebAuthn a first-class citizen would be a dream come true.

But if that is off the table for now, what would we need to change about Fortify to allow easy integration with a custom 2FA Provider? It would be great if we could simply swap 2FA providers the same way we swap authentication guards.

[lucadegasperi]

At WWDC 2022 Apple announced a big push on webauthn with passkeys. As with many standards that Apple decides to invest in, they instantly become de-facto standards.

While I know there are already some packages out there that allow Laravel applications to adopt this standard, I believe that if Laravel were to offer a webauthn solution built-in, it would both simplify developer's life as well as user's safety thus making Laravel an even better choice for even more projects.

@taylorotwell what do you think?

[kurucu]

Perhaps time to revisit this idea, as Google have now joined Apple in using passkeys / webauthn.

[ghost]

Passkeys have become common place now. Time for Fortify to support this out of the box IMHO.

[lionslair]

Passkeys have become common place now. Time for Fortify to support this out of the box IMHO.

100% agree. I have put all sites that support it into my bitwarden now and all appear to use the same protocol.

here is a great demo of it in laravel https://blog.joe.codes/implementing-passkey-authentication-in-your-laravel-app