Webauthn support about fortify HOT 17 CLOSED

At WWDC 2022 Apple announced a big push on webauthn with passkeys.
As with many standards that Apple decides to invest in, they instantly become de-facto standards.

While I know there are already some packages out there that allow Laravel applications to adopt this standard, I believe that if Laravel were to offer a webauthn solution built-in, it would both simplify developer's life as well as user's safety thus making Laravel an even better choice for even more projects.

@taylorotwell what do you think?

from fortify.

Of course Fortify shouldn't become bloated, but to me it looks like WebAuthn will replace TOTP sooner rather than later. Adding support for this one API would result in support of all kinds of mechanisms, be it Yubikeys, FaceID, TouchID, Windows Hello or SoloKeys.

Right now, if I want enterprise-grade 2FA, WebAuthn is the way to go and more convenient than TOTP. But there aren't any big libraries we could depend upon in the long term. Laravel stepping in and making WebAuthn a first-class citizen would be a dream come true.

But if that is off the table for now, what would we need to change about Fortify to allow easy integration with a custom 2FA Provider? It would be great if we could simply swap 2FA providers the same way we swap authentication guards.

from fortify.

Perhaps time to revisit this idea, as Google have now joined Apple in using passkeys / webauthn.

from fortify.

@litvinjuan First thing that comes to mind is increased adoption, similar to the already existing two factor authentication scaffolding. Also, having this in Fortify/Jetstream mean we could provide an UI that fits your application out of the box, which a package could not easily do.

from fortify.

This would be a game changer for me; I currently have an NFC tag implanted in both of my hands and the ability to log in to my Laravel sites with a swipe of my hand would be 🤯

from fortify.

This would be great! I think multiple keys per user should be supported too. I own multiple keys, one I take with me and another one as backup, so I register both keys with web apps. Another use case would be for a user to register a physical key for desktop/laptop use and registering their phone for mobile use.

from fortify.

Probably won't be taking this on in the near future. Feel free to build into your own application. The more opinions we take on the more maintenance burden and complaints I have to deal with 😄

from fortify.

This would be awesome! I had thought of PRing this earlier, shame that so few sites support WebAuthn at the moment. 👍🏻

For anyone interested, there's a good list of Dongles and websites that support them at DongleAuth (repo is here if you want to add any sites). I've personally had experience with SoloKeys and YubiKeys.

from fortify.

I am personally against fully replacing two authentication methods with one (passwordless). However I'd like to propose an idea to act as a middleground:

1. Similar to the "remember me" token, when a user fully authenticates with a password and webauthn once, they are given a "returning webauthn" token.
2. When accessing the login page from the same browser, this token is recognised and the user is partially authenticated, waiting on the key to confirm.
3. If the incorrect key is used or key request timed out, the token is invalidated an event is fired for auditing.

A password would only be required on a new browser. Cookie theft of the token would mean nothing without the WebAuthn key. If you suddenly see that you require a password, then it's a hint someone tried to access your account from that device.

from fortify.

In addition to the already-mentioned security keys and Apple TouchID, Windows Hello also supports Webauthn in all major browsers.

from fortify.

The larapass package might be a good starting point for such a feature.

from fortify.

@MarkusBiggus I feel like we're talking about different things. Webauthn is a web authentication protocol, which aims yo complement traditional authentication (usernames and passwords). You should treat webauthn tokens as a second factor of authentication (or a way of authenticating the user), but I don't think it's a good idea to use it as a proof of identity when signing documents, similar to how you wouldn't use username/password for that.

from fortify.

Actually @m1guelpf WebAuthn can be used to be the first factor as well. It supports passwordless auth.

from fortify.

What would be the benefit of having it supported first-party rather tan creating and installing a third party package?

from fortify.

And apparently (found while looking up what Windows Hello was), it also includes FaceID on the new iOS.

from fortify.

I've been looking at digital signing. Not interested in loading my documents into a cloud document signing service that will cost more money. I already pay for infrastructure, something like this would allow a digital signing method direct into my app.

from fortify.

Oh, I was proposing this as just an alternative to 2FA once you've entered your username and password, but that seems super interesting as well

from fortify.