WebAuthn Is Great and It Sucks (2020)

I&#x27;m calling it now: if&#x2F;when this really takes off, this will absolutely be used as a way to lock users into the platform (OS and&#x2F;or browser). Even the vendors that have committed to being open about 3rd party integration will close that loophole. It will be done &#x27;in the name of security&#x27;, because, ostensibly, Microsoft&#x2F;Apple can ensure the keys are stored &#x27;more securely&#x27; or the sync is easier.<p>Having the keys in your PW manager of choice is worthless if your browser&#x2F;OS won&#x27;t play ball. Keeping all those logins locked inside Apple&#x2F;Google&#x2F;MS&#x27;s garden is just too juicy of a &#x27;sticky&#x27; platform lock-in to ignore. Besides, only nerds care about integration of other key storage platforms; 98% of users will just keep them in iCloud&#x2F;Hello&#x2F;Google, so maintaining the APIs to enable that integration will be on the chopping block of every Product Manager.<p>e.g. look at Google&#x27;s Authenticator app. Once you add a TOTP secret, you can&#x27;t get it back out. Only recently did they add the ability to sync, but only to other Android devices you own. Those keys are hidden forever, for your protection.

This article is from April 2020, over three years ago.<p>Since then, both Apple and Google have implemented WebAuthn for passwordless account signin. Best Buy does too.<p>edit: eBay does too, I remembered right according to the list posted below. Some notable ones are DocuSign, PayPal, Shopify, Adobe, and CVS.

Can anyone explain to me why we couldn&#x27;t just use client SSL certs everywhere? Before the first time you connect to a website, your browser asks if you want to generate a new cert or reuse an existing one, you make a choice, and from then on you interact with that site as an identity tied to that cert and you&#x27;re done. From the servers point of view, the user&#x27;s identity is a key fingerprint, which is just a property of the connection. Why is it more complicated than that?<p>Oh right, the benevolent overlords, in their wisdom, discerned that mere mortals can&#x27;t be trusted with private key material.<p>Nevermind, move along.

Little question on that topic<p>Maybe it’s that all this stuff is still new but whenever something offers PassKey support I now add 3:<p>- one on android<p>- one on iOS<p>- one in 1Password<p>Even more fun when it’s mixed with yubikeys, add primary key and secondary key to that list<p>I now have a spreadsheet to write down which website has which keys added to keep track. Hopefully something like 1Password will handle that soon, but I don’t want to risk losing access to my iCloud or Google and getting locked out. Even more confusing when browsers like chrome offer to save a passkey into the browser which is synced only within that browser (I think, exception being Safari)<p>How are you all handling that?

It will fail, like all attempts to replace passwords have failed, because it doesn&#x27;t address the problem that all the orhers didn&#x27;t address: users don&#x27;t understand it.<p>Users understand passwords. They even understand entering a 6-digit number that was texted to their phone. That&#x27;s about it. It has to be that easy, or it will fail. If you have to start talking about public key cryptography, you&#x27;re doomed.

&gt; Using WebAuthn, you&#x27;re able to use a single authenticator (like a Yubikey, for example) on any site that supports the standard. This way, as a user, you don&#x27;t need to have passwords<p>Security people are literally delusional.

This article is from 2020, I can definitely testify things have changed for the better. We started Descope.com in 2022 and WebAuthN was one of the first things we implemented, it was easy to integrate with the rest of our system and it’s becoming the primary MFA option for our customers

Does a bank support this yet? I just want a bank with a good HYSA and security like WebAuthn or yubikeys.

3 years old, as other folks have noted.<p>We (FusionAuth, my employer) implemented it last year and things have improved a lot, though there are still issues.<p>We put together a vendor neutral site discussing all things WebAuthn here: <a href="https:&#x2F;&#x2F;webauthn.wtf&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;webauthn.wtf&#x2F;</a>

When industry creates the standards, they make it work for themselves. Everybody else in the world is on their own. Doesn&#x27;t work for you? Nobody else supports it? It&#x27;s really complicated? Everyone seems to implement it differently? Not their problem! They got the standard they wanted.<p>If it doesn&#x27;t work for you, that&#x27;s your fault for not being part of the standards body when this was being proposed. Or, even if you were part of the standards body, if you don&#x27;t agree to whatever the giant incumbents want, they&#x27;ll go implement their own thing, defeating the purpose of the standard; so you have to agree anyway