Managing webauthn credentials across multiple devices

About

Asked 4/5, 2022 at 9:16 Answered 4/5, 2022 at 9:45

I am trying to integrate webauthn(public key) based authentication into our website.I am facing a problem when end users are switching devices.

How do we maintain at the backend the credentials registered per device, if we don't how to decide whether to show webauthn based auth or now for the current device?

These are the only solutions i could think of:

Use localStorage, cookies e.t.c to store a device identifier but all of these can be cleared by end user
If keys are registered on one device we show them web authn on every device and if keys can't be found we ask them to register on this device

Chewink answered 4/5, 2022 at 9:16 Comment(0)

You're highlighting one of the key issues that WebAuthn currently has, especially for platform authenticators like Windows Hello, Touch ID, etc.

The solutions you suggest are basically all you can do, but be aware that both are far from perfect. Especially local storage can be a real rabbit hole.

You may want to take a look at FIDO Alliance's latest white paper around "multi-device FIDO credentials" where you'll learn what the industry is doing to improve the situation: https://fidoalliance.org/white-paper-multi-device-fido-credentials/

Alleneallentown answered 4/5, 2022 at 9:45 Comment(4)

@FixMgdnz I just read the paper you linked to about multi-device FIDO credentials. Some use cases: 1. A user owns multiple devices, and registers for a particular app on one of them, but needs to also use the other devices. 2. A user loses a device 3. A user switches from e.g. Android to iOS, or vice-versa According to the paper, the hardware device vendors would provide the means to sync the user's keys across devices. But if e.g. moving from Android to iOS, would they collaborate with each other? Also, is it really a good thing to concentrate security into a few big private companies? – Spongy 27/7, 2022 at 16:8

Cross-platform authentication is (mostly) solved by using your phone as a roaming authenticator. This works in all possible combinations, e.g. with an Android phone and a MacBook, or an iPhone and a Windows PC. It looks like there also will be APIs on the OS level that will allow to use external sources to sync your credentials, e.g. a "passkey manager" that works across the platforms. – Alleneallentown 2/8, 2022 at 10:8

Is this still the case? There is currently no 'working' solution for this problem? – Sigma 7/1, 2023 at 23:33

The solution is called passkeys that get synced across your devices. Either through iCloud or Google Account, and in the near future also through 3rd party services like password managers. Passkey sync in the Apple ecosystem already works flawlessly, and using your phone as authenticator on a non-Apple device by scanning a passkey QR code also works well. You can try this on passkeys.io. – Alleneallentown 31/1, 2023 at 8:3

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags