I've had to implement WebAuthn support once and it was a mess. Basically every browser and OS combination works slightly differently, so I ended having to do a bunch of changes to get at least somewhat decent UX. And Windows machines act completely differently depending on whether or not your computer has Windows Hello setup. And no one seems to have any idea on how Resident Keys should be managed, so if you ever register one, it just kinda exists from here until the end of time unless you know that one neat trick on how to get rid of one.
That's weird. I implemented it a year ago and it basically works perfectly on all the browsers I use. I can enroll a Yubikey on my desktop, and then hold it up to my iPhone to log in. (Of course, I also enrolled FaceID on the phone.)
My one complaint is that enrollments don't sync between my iPhone and my iPad. Had to enroll my face twice.
Your face unlocks a certificate in the TPM (or Apple equivalent), and each device has unique certificates, so it's expected that you have to enroll for each device. The YubiKey has its own certificate, which is why it can be used everywhere without having to enroll it multiple times.
I believe there is a plan to support syncing private keys [0] (that you can turn on via the developer tab in Safari) announced at WWDC 2021 [1] and discussed in this blog post from Hanko [2]. But I have not heard any more about it in the last 10 months.
Such a technology looks to me like an attractive nuisance. It's the Bearer Bonds of security technology - benefits to legitimate users are minor, yet the costs from all the illegitimate uses accrue to everybody all the time.
Don't get me wrong, it would be very useful (well, the Apple version not to me directly since I don't have an Apple device) but I think the security penalty is too high in practice.
Yeah, I don't see this as a big security disaster. I sync my SSH keys between machines manually. That increases the exposure risk, but not as much as using the same password on every site. Mobile devices have pretty good security (option to auto-wipe after using the wrong lock screen passcode a certain number of times). Desktop security is pretty bad (straightforward to steal the Windows Hello keys on some installs), but the rootkit that steals your WebAuthn keys will also just steal your Google session cookies or whatever.
What was inconsistent between browsers/OSes? I've implemented webauthn support and didn't have to do anything special to make it work in all browsers I've tested with.
Registration UX/flow, JavaScript APIs, and removing Resident Keys at least.
Windows computers with Windows Hello activated basically completely ignore hardware-based WebAuthn devices unless you specify that you want to register a cross-platform device. So the same piece of registration code will act differently if you're using Chrome on macOS, where you will be asked if you want to register a platform authenticator (Touch ID) or if you want to register a cross-platform authenticator (Yubikey), and Chrome on Windows, where you will basically be automatically defaulted to platform authenticator (Windows Hello) unless you abort the Windows Hello registration, in which case it will switch over to a cross-platform registration. You basically need to set authenticator attachment to either "platform" or "cross-platform" to get consistent experience across macOS and Windows.
And Safari for example requires user gestures for navigator.credentials.get(), so if you were thinking of redirecting users to a /login/verify/ page where it will automatically prompt for a WebAuthn verification, you actually need Safari users to click on a button on that page. On other browsers, you can basically just pop up the WebAuthn prompt automatically on page load.
And removing Resident Keys is another pain point. On Windows you basically need to do it via the command-line, whereas on macOS you need to go to "Clear browsing data" and then select "Passwords and other sign-in data" in order to get rid of them. So on Windows, they make it basically impossible for the regular user, and on macOS, they make it so easy that users might accidentally do it if they don't realise that the internal password manager and the stored Resident Keys are wiped the same way. Can't remember how it worked for Firefox, but I'm sure it will be at least slightly different (or didn't work at all, Firefox was painful).
I also can't remember off the top of my head if Firefox even supported fingerprint-backed authenticator devices on macOS. On Windows it might, since I think everything there goes through Windows Hello.
> And Safari for example requires user gestures for navigator.credentials.get(), so if you were thinking of redirecting users to a /login/verify/ page where it will automatically prompt for a WebAuthn verification, you actually need Safari users to click on a button on that page. On other browsers, you can basically just pop up the WebAuthn prompt automatically on page load.
This is something that is being changed in the standard that user action will be required. Safari just implemented it first.
The problem is that without prompting things like FaceID on the iPhone are so fast that you may get logged in without knowing if there is no user action required.
Would definitely not recommend as a fun project.