Ask HN: WebAuthn – Replace Password or Second Factor?

Something overwhelming of WebAuthn/U2F/FIDO2/Passkeys is that it has many different modes and settings [0] So, my understanding is that you need to find the settings to 'upgrade' the modes from 2FA to a Passwordless alternative. Not all devices are supported.

I like this explanation in Ruby [1] [2] of all the process between the server and the browser. It also has an example you can try on your browser to see if your devices/OS are supported. Look at the bottom the distinction between Passwordless and 2FA.

I'm making a proof of concept of WebAuthn the only login option, for a toy project in PHP [0] with this library [1] It has been an interesting exercise to understand the tricky parts of it.

[0] https://webauthn.lubu.ch/_test/client.html

[1] https://betterprogramming.pub/implement-a-passwordless-authe... [2] https://archive.ph/SyaEW

[2] https://eapl.mx/twtxt/ [3] https://github.com/lbuchs/WebAuthn

I think eventually, a lot of auth on the web will move to WebAuthn (when SSO isn't used).

However, one could potentially allow users to add 1-N credentials.

For example, a PassKey (WebAuthn) synced across devices, and then a WebAuthn credential stored on a Yubikey.

That way, you'd still need two factors, and hacking the computer alone isn't enough. But there is no "traditional" password involved.

In my opinion you should think of WebAuthn as the first factor. If you want additional second factors (of whatever nature they may be) you can still add these of course.

Think of it like logging in using a SSH-key.

WebAuthn should negate the need for a 2nd factor in the traditional sense (you can't steal/extract the WebAuthn private-key). I suppose you could bolt on some kind of WebAuthn after a user/pass login, but I don't see why you wouldn't want it as the first-class citizen replacing the password entirely.

Overall I agree with this, but I think there's a genuine need for a general self-destruct mechanism. Having a key confiscated or taken by force should be preventable in some way, and even if I have a backup key, there needs to be a low-friction way to make a key unusable and unrecoverable.

It would also be nice to have a way to quickly de-register a lost key. Having a back-up is great, but it's still a pain to go de-register the thing on each individual provider's platform. And if I miss one provider it could easily be game over. I'm not a huge fan of centralization but a single registry for dead keys would make a lot of sense for the different providers to cooperate on.