WebAuthn + Atomic Authentication

[joepio]

The WebAuthn specification is a secure and user-friendly system for authentication. It uses public keys, signatures and hardware crypto linked to origins to prevent phishing attacks and skip dealing with passwords. All major browsers support it, although the UX is sometimes not ideal (e.g. on firefox we can't use MacOS fingerprints).

Here's how registration feels:

UX on safari MacOS / iOS is great:

UX on chrome is a bit more confusing (it should provide a sensible default / big button), but more powerful:

However, if you set the authentcation type to Platform (TPN), this screen becomes easier:

Future

• The big three (apple, google, microsoft) will work on expanded support for credential sharing with FIDO, which should standardize a UX for using your phone to sign in. Let's hope Mozilla also joins this!
• Credential management API

Implementation suggestion

• We only support the Platform (TPM) authenticator type. This means no confusing selection screens and weird UX for partial cross-browser support
• If the client does not support this, we fall back on a less secure / less standardised alternative (e.g. store private key with web.crypto).

@adileo you'll find this interesting