lemmy icon indicating copy to clipboard operation
lemmy copied to clipboard
verified publisher icon LemmyNet

Implement Passkeys/WebAuthn

Open basskitten opened this issue 2 years ago ā€¢ 8 comments

Requirements

  • [X] This is a feature request and not a bug report. Otherwise, please create a new bug report instead.
  • [X] Please check to see if this request (or a similar one) already exists.
  • [X] It's a single feature. Please don't request multiple features in one issue.

Describe the feature you'd like

Please implement passkeys aka webauthn for Lemmy. It will make the sign in experience better and strengthen security.

https://webauthn.guide

basskitten avatar Jul 28 '23 19:07 basskitten

This would need support in the backend first so transfering there.

lionirdeadman avatar Jul 29 '23 05:07 lionirdeadman

What is this and why would it be beneficial for Lemmy?

Nutomic avatar Aug 02 '23 14:08 Nutomic

Passkeys are the new standard to authenticate on the web.

Passkeys are a safer and easier replacement for passwords. With passkeys, users can sign in to apps and websites with a biometric sensor (such as a fingerprint or facial recognition), PIN, or pattern, freeing them from having to remember and manage passwords.

(copied from passkeys.com) ironically Iā€™m pasting this on GitHub, where I just signed in using .. guess what .. a passkey

basskitten avatar Aug 02 '23 16:08 basskitten

Sounds like this is a commercial product from some company, no thanks.

Nutomic avatar Sep 28 '23 10:09 Nutomic

Sounds like this is a commercial product from some company, no thanks.

Webauthn is a W3C recommended standard and a part of another W3C standard FIDO2. Passkey is only a type of FIDO2, it was implemented by not only commercial companies but also open-source projects such as BitWarden/Vaultwarden. And there are many other types of FIDO2 devices, some were made by commercial companies like Yubikey by Yubico, and others were made by the community and open source, like Solokey, and OpenSK.

https://www.w3.org/TR/webauthn-1/ https://www.w3.org/TR/webauthn-2/

CoelacanthusHex avatar Sep 28 '23 12:09 CoelacanthusHex

In other words, Passkey is often just a business term used by commercial companies to promote their FIDO2 Passwordless implementation. For example, GitHub and Google call all FIDO2 passwordless devices as Passkey and call all 2fa FIDO2 devices as Security Key, but in tech, these things just use FIDO2/WebAuthn API, they all are FIDO2 devices, just use it in a different way. In tech, those should all be called Security Key, there is no Passkey in tech terms.

CoelacanthusHex avatar Sep 28 '23 12:09 CoelacanthusHex

I think closing this can probably be considered a mistake. On the same day as this issue was closed, additional context has been provided elaborating on the details, but no further response happened for several months. Can this please be re-considered and if found useful, please re-open the issue.

foss- avatar Jan 10 '24 11:01 foss-

If someone wants to work on this, they're free to.

dessalines avatar Jan 10 '24 13:01 dessalines

Can re-open if someone wants to work on this.

dessalines avatar May 04 '24 15:05 dessalines