dstufft
commented
1 year ago Note, this issue might be best thought of as also deciding if we want to support them.
The "problem" with Passkeys is their security model is a little "mushy". From the point of view of Warehouse directly, it's basically a single factor but that we know has really good, strong crypto behind it and that, in theory, the device requires positive identification of the user (biometrics, pin, etc). However, since Warehouse isn't involved in this 2FA, it has to trust that the device is doing that.
The risk then becomes that because this is happening on a device or application that the client controls, that it could be implemented poorly or be lying to us and really only be 1FA.
You can get around this using hardware attestation, which is basically using crypto to verify that the hardware is a specific type of hardware (an iOS device, etc). This tends to make people squeamish (for good reasons), and none of the vendors could agree on a format so it's not very easy to do.
So basically, in my understanding:
- Much Much superior to just password based auth.
- Superior to Password [^1] + TOTP.
- You trade the somewhat mushy definition of 2FA for a phishing resistant authentication scheme.
- Maybe actually slightly worse than Strong Password + WebAuthN.
- You trade slightly stronger guarantees on having true 2FA auth, for removing the friction of passwords for the user completely AND reducing the chance of account lockout to a lost device.
I could be wrong though! I'm not an expert on PassKeys.
[^1]: One of the things PassKeys are attempting to eliminate is passwords altogether, because users are awful at picking them securely anyways. We do a pretty good job at making sure our passwords are secure, so I'm not really too worried about the quality of passwords on PyPI, but it is something to keep in mind.
webknjaz
Our current 2FA support is "Something you know" (password) and "something you have" (TOTP or WebAuthN).
There's a newer authentication method called Passkeys. Under the cover's Passkeys can be thought of as basically WebAuthN token, however used with slightly different options that requires the WebAuthN token to require the user to unlock the device. Typically when using Passkeys, you do not need to sign in with a password at all, the Passkey acts as both factors.
The other benefit that Passkeys provide over traditional MFA, is that typically traditional MFA the "something you have" is device bound, so you need to register multiple devices, deal with what happens if your phone gets broken, etc. With Passkeys the credentials are not device bound [^1], and are synced within the same ecosystem (so in the ICloud Keychain, etc) but still protected by the first factor (typically FaceID, Windows Hello, a Fingerprint, or a Pin).
These can be as secure, or more secure than Password + WebAuthN (and are more secure than Password + TOTP), but reduce user friction by eliminating the need to enter a password or switch to a different device, plus reduce the cases where the user is likely to get locked out of their account.
[^1]: The site can request that they be device bound I believe, for extra assurance.