View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0003581 | Composr | core | public | 2018-04-10 19:18 | 2024-07-25 21:41 |
| Reporter | Chris Graham | Assigned To | |||
| Severity | Feature-request | ||||
| Status | non-assigned | Resolution | open | ||
| Product Version | |||||
| Fixed in Version | |||||
| Summary | 0003581: Web Authentication (passwordless login matching private keys on phones to public keys on websites being logged into) [passkeys] | ||||
| Description | There's a new W3C "web authentication" spec, that has moved to candidate recommendation stage. It will be a way of logging into sites direct from your web browser. Update tut_webapp to reference the specs. | ||||
| Additional Information | It's coming soon to Firefox and Edge. | ||||
| Tags | Type: Security, Type: Standards compliance | ||||
| Time estimation (hours) | 32 | ||||
| Sponsorship open | |||||
| related to | 0000974 | resolved | Chris Graham | Composr non-bundled addons | Implement oAuth login framework |
| related to | 0001387 | non-assigned | Composr | 2-factor-authentication overhaul | |
| related to | 0003649 | non-assigned | Composr | 2-step login | |
| has duplicate | 0005482 | closed | Chris Graham | Composr | Implement passkeys |
|
|
https://venturebeat.com/2019/03/04/w3c-approves-webauthn-as-the-web-standard-for-password-free-logins/ |
|
|
I'm hoping this tech will be a Facebook Login, OpenID, and oAuth killer (for login purposes). Then we can move to a web standards approach, and even remove Facebook login support. |
|
|
Looking at the tech, I can see this is a 'passwordless login' kind of technology, and not an identity technology. So it won't generate a username, won't provide your e-mail address, etc. I think realistically this means it's not a Facebook Login competitor - it's not going to be able to provide one-click registrations. |
|
|
Good articles: https://www.vegard.net/webauthn/ https://webauthn.guide/ |
|
|
I have a feeling this tech will be stillborn. It's complex to implement, needs to work seamlessly across many new integration layers, and it seems to be anti-2FA - it's not trying to supplement passwords, but remove them. That means access to your phone+unlock-code becomes a key to everywhere. I think regular 2FA is a better bet, then we can implement this if it looks like all the big players are adopting it. |
|
|
Here is the draft version of the webauth spec: https://w3c.github.io/webauthn/ There is also another spec which allows login using encryption keys: https://w3c.github.io/vc-data-model/ |
|
|
The Passkey launch by large companies has largely been talked about as a failure. I haven't time to dig into that now, but there have been many standardized technologies over the years that just haven't panned out and this may be another one of them. Look at adoption/success rates before seriously considering implementing this. What seems to be getting popular instead is reframing regular username/password login as "Log in with email", and then having "Log in with Google" etc as equal top-level log in choices (as opposed to alternative log in forms). |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2018-04-10 19:18 | Chris Graham | New Issue | |
| 2018-04-10 19:18 | Chris Graham | Tag Attached: Type: Security | |
| 2018-04-11 01:15 | Chris Graham | Relationship added | related to 0000974 |
| 2019-03-04 18:27 | Chris Graham | Note Added: 0005930 | |
| 2019-03-04 18:28 | Chris Graham | Relationship added | related to 0001387 |
| 2019-06-17 18:40 | Chris Graham | Tag Attached: Type: Standards compliance | |
| 2019-06-27 15:37 | Chris Graham | Note Added: 0005995 | |
| 2019-06-27 17:38 | Chris Graham | Tag Attached: Roadmap: v11 | |
| 2019-06-27 17:39 | Chris Graham | Tag Attached: Roadmap: v12 | |
| 2019-07-30 23:13 | Chris Graham | Note Added: 0006062 | |
| 2019-07-30 23:13 | Chris Graham | Tag Detached: Roadmap: v12 | |
| 2019-07-30 23:13 | Chris Graham | Tag Detached: Roadmap: v11 | |
| 2021-02-04 21:34 | Chris Graham | Note Added: 0006936 | |
| 2021-02-04 21:37 | Chris Graham | Note Edited: 0006936 | View Revisions |
| 2021-02-04 21:38 | Chris Graham | Summary | Web Authentication => Web Authentication (passwordless login matching private keys on phones to public keys on websites being logged into) |
| 2021-02-04 21:38 | Chris Graham | Sponsorship open | 0 => |
| 2021-02-04 21:40 | Chris Graham | Note Added: 0006937 | |
| 2022-09-27 17:18 | Chris Graham | Note Added: 0007528 | |
| 2022-10-06 00:01 | Chris Graham | Description Updated | View Revisions |
| 2023-12-10 16:13 | Chris Graham | Relationship added | related to 0005482 |
| 2023-12-10 16:18 | Chris Graham | Relationship added | related to 0003649 |
| 2024-07-25 21:38 | Chris Graham | Summary | Web Authentication (passwordless login matching private keys on phones to public keys on websites being logged into) => Web Authentication (passwordless login matching private keys on phones to public keys on websites being logged into) [passkeys] |
| 2024-07-25 21:38 | Chris Graham | Relationship replaced | has duplicate 0005482 |
| 2024-07-25 21:41 | Chris Graham | Note Added: 0008954 |
