Passwordless approach

[variable]

Hi just came across this package after been fiddling with django-fido project, regarding the passwordless section in the README, it mentions about creating a cookie for the previously logged in username, I presume it's because we use that to know which user to perform the fido auth against?

Has anyone considered using combination of using resident_key for discoverable credential from the key and storing the user handle against the credential in the django database?

Reference https://github.com/CZ-NIC/django-fido/issues/137 https://github.com/CZ-NIC/django-fido/pull/139 https://github.com/CZ-NIC/django-fido/pull/142

[mkalioby]

Hello,

Thanks for stopping by.

Your assumption is right, the cookie is to allow us get the credentials to authenticate against.

You have a good point, but it depends on the FIDO2 library as it handles the communication, I can do some trials next week as I'm off this week and let you know

[mkalioby]

Hello,

It works. and that branch has the updated library and updated example to allow the user to login just by using his key. A new setting MFA_RESIDENT_KEY is created to allow the use of Resident Keys.

Note: This feature is NOT supported in all browsers, only in Chrome and Edge for now and Firefox fails when it is ON. Also, it can't be used with previously added keys as the userHandle won't be available on the both sides.