Comments (17)
At WWDC 2022 Apple announced a big push on webauthn with passkeys.
As with many standards that Apple decides to invest in, they instantly become de-facto standards.
While I know there are already some packages out there that allow Laravel applications to adopt this standard, I believe that if Laravel were to offer a webauthn solution built-in, it would both simplify developer's life as well as user's safety thus making Laravel an even better choice for even more projects.
@taylorotwell what do you think?
from fortify.
Of course Fortify shouldn't become bloated, but to me it looks like WebAuthn will replace TOTP sooner rather than later. Adding support for this one API would result in support of all kinds of mechanisms, be it Yubikeys, FaceID, TouchID, Windows Hello or SoloKeys.
Right now, if I want enterprise-grade 2FA, WebAuthn is the way to go and more convenient than TOTP. But there aren't any big libraries we could depend upon in the long term. Laravel stepping in and making WebAuthn a first-class citizen would be a dream come true.
But if that is off the table for now, what would we need to change about Fortify to allow easy integration with a custom 2FA Provider? It would be great if we could simply swap 2FA providers the same way we swap authentication guards.
from fortify.
Perhaps time to revisit this idea, as Google have now joined Apple in using passkeys / webauthn.
from fortify.
@litvinjuan First thing that comes to mind is increased adoption, similar to the already existing two factor authentication scaffolding. Also, having this in Fortify/Jetstream mean we could provide an UI that fits your application out of the box, which a package could not easily do.
from fortify.
This would be a game changer for me; I currently have an NFC tag implanted in both of my hands and the ability to log in to my Laravel sites with a swipe of my hand would be 🤯
from fortify.
This would be great! I think multiple keys per user should be supported too. I own multiple keys, one I take with me and another one as backup, so I register both keys with web apps. Another use case would be for a user to register a physical key for desktop/laptop use and registering their phone for mobile use.
from fortify.
Probably won't be taking this on in the near future. Feel free to build into your own application. The more opinions we take on the more maintenance burden and complaints I have to deal with 😄
from fortify.
This would be awesome! I had thought of PRing this earlier, shame that so few sites support WebAuthn at the moment. 👍🏻
For anyone interested, there's a good list of Dongles and websites that support them at DongleAuth (repo is here if you want to add any sites). I've personally had experience with SoloKeys and YubiKeys.
from fortify.
I am personally against fully replacing two authentication methods with one (passwordless). However I'd like to propose an idea to act as a middleground:
- Similar to the "remember me" token, when a user fully authenticates with a password and webauthn once, they are given a "returning webauthn" token.
- When accessing the login page from the same browser, this token is recognised and the user is partially authenticated, waiting on the key to confirm.
- If the incorrect key is used or key request timed out, the token is invalidated an event is fired for auditing.
A password would only be required on a new browser. Cookie theft of the token would mean nothing without the WebAuthn key. If you suddenly see that you require a password, then it's a hint someone tried to access your account from that device.
from fortify.
In addition to the already-mentioned security keys and Apple TouchID, Windows Hello also supports Webauthn in all major browsers.
from fortify.
The larapass package might be a good starting point for such a feature.
from fortify.
@MarkusBiggus I feel like we're talking about different things. Webauthn is a web authentication protocol, which aims yo complement traditional authentication (usernames and passwords). You should treat webauthn tokens as a second factor of authentication (or a way of authenticating the user), but I don't think it's a good idea to use it as a proof of identity when signing documents, similar to how you wouldn't use username/password for that.
from fortify.
Actually @m1guelpf WebAuthn can be used to be the first factor as well. It supports passwordless auth.
from fortify.
What would be the benefit of having it supported first-party rather tan creating and installing a third party package?
from fortify.
And apparently (found while looking up what Windows Hello was), it also includes FaceID on the new iOS.
from fortify.
I've been looking at digital signing. Not interested in loading my documents into a cloud document signing service that will cost more money. I already pay for infrastructure, something like this would allow a digital signing method direct into my app.
from fortify.
Oh, I was proposing this as just an alternative to 2FA once you've entered your username and password, but that seems super interesting as well
from fortify.
Related Issues (20)
- The route name for registration is not declared. HOT 2
- difficulties in updating the database schema HOT 1
- Laravel 10.10 - Cast password "hashed" HOT 3
- login limiter doesn't work actually HOT 1
- When Session based Guard is not used Logout fails HOT 3
- Integrate Precognition Into Fortify Route HOT 1
- Route [logout] not defined after changing the app_env from local to production
- Without override the PasswordResetLinkController@store we cannot add reCAPTCHA HOT 1
- Name all routes for Ziggy support when enableViews is false HOT 2
- Paths override with dot in route name does not work HOT 3
- Fortify http request methods for routes requiring multipart/form-data HOT 1
- Support for laravel passport HOT 2
- Provide "Don't ask me again on this computer" feature HOT 3
- Implementation for ActivityLogs HOT 1
- Custom Rate Limiter HOT 1
- Confusion between the username/email field in the database and the username/email field in the request (form) HOT 4
- No error message on expired token HOT 4
- Can we get a way to add additional validation rules to LoginRequest?
- A proposal for Fortify 2.0 HOT 4
- Used password reset link still valid to change password again HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fortify.