Open mimi89999 opened 2 years ago
Changaco
commented
2 years ago At this time I can't guarantee that I will merge your work. Do I understand correctly that you're envisioning the use of WebAuthn as an alternative to passwords? In other words, you're not planning to implement #926?
mimi89999
commented
2 years ago Yes. I would like to implement Webauthn as an alternative to passwords and not as and additional factor. It will be safe against device/token theft as I will require user verification (token pin or biometrics) and that will be the de facto second factor. I think that this is where the standards and the industry are heading to with tokens like the Yubikey Bio and Apple/Google/MS Passkeys.
mimi89999
commented
2 years ago You can test it on https://webauthn.io/. To do that you need to set User Verification to required in advanced settings. To can also see how it works on https://www.pastery.net/.
Changaco
commented
2 years ago I'm not convinced that this is a good idea. Passwords are already optional for Liberapay accounts, and so far people have asked for an additional authentication factor, not for an alternative, so I'm not sure that it makes sense to add support for WebAuthn in a way which wouldn't allow 2FA.
I'm also concerned that WebAuthn currently isn't quantum-resistant, so it's actually less future-proof than randomly generated shared secrets.
ptman
commented
2 years ago WebAuthn has algorithmic agility, so once everyone agrees on a quantum-resistant algorihm, it should be easy to support.
That said, WebAuthn can be used to add a 2nd factor to passwords, maybe that should be done first
Hello,
I would like to implement passwordless Webauthn support in Liberapay. I would like to use https://github.com/github/webauthn-json (MIT) in the fronted and https://github.com/duo-labs/py_webauthn (BSD-3-Clause) in the backend. Are there any things I should be careful about or can I just proceed with the implementation?