Firstyear's blog-a-log

🌈 Abstract

The article discusses the author's experience and perspective on the evolution of the WebAuthn standard and the emergence of Passkeys, highlighting the issues and challenges faced in the implementation and adoption of these technologies.

🙋 Q&A

[01] The Dream

1. What was the author's initial vision and motivation for the WebAuthn library?

• The author started developing the WebAuthn library for Rust in 2019, with the goal of creating a technology that could replace passwords. The author saw the potential for WebAuthn to enable three main use cases: second factor authentication, passwordless authentication, and usernameless authentication.
• The author was motivated by the idea that cryptographic authentication could be made highly usable and accessible for consumers, and that WebAuthn could be "the end of passwords".

2. How did the author's work on the WebAuthn library influence the broader ecosystem?

• The WebAuthn-rs library has had a significant influence, with parts of it being used in Firefox's authenticator-rs, and it being used as a reference implementation for other language's WebAuthn implementations and password managers.
• The author is humbled by the impact that WebAuthn-rs has had on the identity and authentication landscape.

[02] The Warnings

1. What issues did the author identify with the development and control of the WebAuthn standard?

• The author warns that the WebAuthn standard is not as open as initially envisaged, with Chrome controlling a large portion of the browser market and tightly controlling the development of the standard.
• The author cites the example of the Authenticator Selection Extension, which was removed from the standard because Chrome never implemented it, demonstrating that Chrome can effectively veto features it doesn't like without consequence.
• The author also notes that many of the decisions around the standard are made at "F2F" (face-to-face) meetings in the US, which excludes the majority of international participants and gives more influence to certain voices.

2. What are the implications of the lack of device discrimination in the WebAuthn standard?

• The author argues that the inability to filter and discriminate between different authenticator devices can lead to issues, particularly in corporate environments where there may be policies around acceptable devices.
• Without the Authenticator Selection Extension, IDPs can still "discriminate" against devices, but the consequences are more severe, as users may enroll a device that is later rejected, potentially burning one of their resident key slots.
• The author notes that Chrome has internal feature flags that it can use to enable its own magic features for authenticator models, while everyone else has a lesser experience.

[03] The Descent

1. How did the introduction of Passkeys by Apple impact the WebAuthn ecosystem?

• The author explains that Apple's introduction of Passkeys, while initially seen as a positive marketing term for passwordless authentication, led to a push towards "resident keys" as the definition of Passkeys.
• This push towards resident keys excludes the use of security keys, as they often have very limited storage capacity, which is not sufficient for most users who have more than 25 accounts.

2. How have the major platforms (Chrome, Safari, Android) impacted the user experience of Passkeys?

• The author describes how Chrome and Safari try to force users into using the caBLE (Credential-Based Login Experience) method, which is a poor user experience, taking more than 60 seconds to complete.
• The author also criticizes Android, which won't activate security keys if the website sends the necessary set of options for Passkeys, effectively forcing users to use the "Google Passkeys stored in Google Password Manager".
• The author provides examples of users experiencing issues with Passkeys, such as security keys not being able to be enrolled due to filled resident key slots, platform bugs preventing Passkey creation, and Passkeys being unexpectedly wiped from the Apple Keychain.

[04] The Future

1. What is the author's prediction for the future of Passkeys?

• The author believes that Passkeys will fail in the hands of the general consumer population, as the user experience has been compromised by the desire of corporate interests to capture markets and promote hype.
• The author argues that Passkeys will only be used by a small subset of the technical population, and that consumers will generally reject them in favor of password managers, which the author believes provide a better experience.

2. What alternative solutions is the author considering for enterprise use cases?

• The author suggests that within enterprise environments, there is still a place for attested security keys, where the whole experience can be controlled to avoid vendor lock-in.
• However, the author notes that there are still rough edges and obnoxious user experience elements that need to be addressed.
• As an alternative, the author is considering device certificates and smartcards, as the user interface is generally better than the PKCS11 and PIV specifications.