re: A world without passwords VIEW POST

TOP OF THREAD FULL DISCUSSION
re: I suppose the user wouldn’t actually be aware of the private key, and since it’s stored on the device, do you know how logging into the same accoun...
 

This is something which is not in spec and should be handled by the implementation 👇🏽
github.com/w3c/webauthn/issues/151

Thanks for the link though also kinda worrying at the same time as it seems like a big thing to leave to individual implementations. For example, Android might support one method and iOS another - just another way to lock you to platforms. Or just Firefox and Chrome - now maybe you can't switch browsers as easily.

Or on the website side of things, some websites may have flows to support key-per-device (much like how GitHub allows multiple SSH keys) but some sites won't, making it more likely to confuse people when dealing with other implementations.

It just seems like such a big thing to leave off the table and has me concerned for sites that may only offer WebAuthn in the future.

EDIT: Just to highlight a little more why I think this is problematic while still being similar to the way existing things work - isn't half the point of removing passwords to help the average computer user not use bad passwords? The same average computer user likely would want it to be as easy as possible so if the solution isn't easily portable or has weird edge cases, I just see this as being DOA.

I understand your concern, but keep in mind big names are involved in delivering these features. Google, Microsoft, Yubico, Auth0, are just a few.

To give you an example, if you have a Yubikey, it works everywhere cross platform.

I'd be more thinking about how many public keys you'd have over time and what devices do to securely store those private keys 🤷‍♂️

Fido is working on a cross platform spec for BLE called caBLE to allow the credentials on your phone to be used with other devices like a Windows desktop. That is working now in beta on Android for Google accounts.

A external authenticator in combination with platform authenticators is probably the best option.

With passwordless the keypair is the only thing needed to get into the account making synchronising private keys across devices a very sensitive task.

Great post. Thanks.

code of conduct - report abuse