DEV Community 👩‍💻👨‍💻

Cover image for Universal passwordless authentication - The beginning
Arnaud Dagnelies
Arnaud Dagnelies

Posted on

Universal passwordless authentication - The beginning

Since quite some time now, I've toyed around the idea of making an authentication platform ...and I'm starting doing it! I'm currently on a parental leave, freed from the corporate life and in my evening hours, when the kids are sound asleep, I thought I would give this a shot.

I always found the authentication landscape kind of broken. For both users and developers. On one side, for users, you have to register separately on every damn website, with frustratingly complex passwords while your grandma is again the victim of a phishing attack anyway. On the other side of the fence, just implementing a secure authentication system a time consuming piece of work ...and with a lot of unexpected complexity (yeah, I look at you OAuth2!). And if you want something really safe with MFA, oh boy ...well, no wonder there are so many paid identity providers. Just for what? Just to authenticate users.

So here it goes, let's simplify that for everyone! Global identities with passwordless authentication. Just put your finger on your phone sensor or look at your laptop's camera to register/login, that's it. If you want to try it out, here it is:

Passwordless

Authentication using TouchID or FaceID for everyone. Less passwords, more security!

dagnelies.github.io

This is all thanks to a recent w3c protocol called webauthn. However, no matter how great this protocol is, it also has a big shadow side: its sheer complexity. Hundreds of pages of specs, obscure binary data structures, unintuitive corner cases and so on.

So well, that's why making a "working out of the box service" would make sense to me, and that is what I'm attempting to build here. Ideally for free for everyone, sustained by some magical sponsorships, but this sounds like utopia to me right now. Currently, it's, ahem, just at its early infancy. It's like a baby just looking around, waiting to grow up in a fine service. Heck, it does not even have a proper domain name yet!

So why am I showing such an early, far from finished, completely messy thing? Well, to gather interest. As a solo dev, it's kind of lonely to just develop in the void without any feedback ...and your head is haunted with questions like "is it worth it?" and "will anybody use it anyway?". So, if you like what you see so far, please cheer for me! :D You are very welcome to also tell me what you would like to see next, or just tell me you liked it so far. Thank you for reading!

Top comments (4)

Collapse
ravavyr profile image
Ravavyr

Love the idea, hope you can turn it into something widely used.

However, aren't fingerprints and face recognition easily fooled currently?

I much prefer typing in my email address for example and using "login with google" currently and relying on google to not get hacked :)

Thoughts?

Collapse
dagnelies profile image
Arnaud Dagnelies Author • Edited on

The fingerprint / face is used to access a protected (cryptographic) key stored on the device. In other words, as an attacker, you would first need to get your hands on the phone/laptop/other of the person you are trying to impersonate. ... And if you are able to fool the local authentication, you basically have all the rights on the device anyway.

Collapse
dagnelies profile image
Arnaud Dagnelies Author

Hi. There was still the question pending of "Why not login with google?" that I did not really answer. The response is a little late because it did not really fit as a comment, but I tried my best to answer it in the last section of my latest post ;) dev.to/dagnelies/passwordlessid-fi...

Collapse
dagnelies profile image
Arnaud Dagnelies Author

Thanks for all your support!

🌚 Friends don't let friends browse without dark mode.

Sorry, it's true.