Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Webauthn/Passkeys are a shattered dream. Remove text from header of README and move section further down the page. #138

Open
evolve2k opened this issue May 6, 2024 · 1 comment

Comments

@evolve2k
Copy link

evolve2k commented May 6, 2024

Currently the README implies that Webauthn/Passkeys are the way forward.
Consensus in 2024 is that passkeys/webauthm is a shattered dream. Related Front Page discussion on HN.

"The biggest issue with passkeys is that I just can't trust the companies offering them"
-- Top comment on HN

Request that this front matter is removed and the section on this moved further down the readme, maybe including that issues around passkeys/webauthm are still being resolved and that there is still no mass adoption of this approach.

MFA TOTP remains best practice for password security in 2024 and this project is doing excellent work in this space.

@mdp
Copy link
Owner

mdp commented May 17, 2024

First off, thanks for opening this issue and sorry for the delay in responding. I think it's a good issue to discuss and wanted to take some time to write up my thoughts on this.

In some ways I agree; Passkeys are a bit of a disaster UX wise, at least at the moment. Adoption of the full "Passkey" login has not been great, and it's definitely confusing for users. But while I can't predict Passkey adoption with consumers, for more security focused users (enterprise/corporate) it's already the standard (hardware keys via Webauthn).

Even as bad as the Passkey UX is, there's no way I could recommend TOTP in 2024 for most users.

  1. OTP's are very phishable, so much so that most high profile orgs have banned their internal use - Google did this more than 6 years ago 1. Cloudflare, Okta, Twitter - This trend is headed in only one direction.
  2. It's a shared secret system. As a developer, this puts the onus on me to come up with a way to store it securely and retrieve the plaintext anytime a user logs in as well as prevent replays.
  3. OTP's also seem to be heading towards UI enshittification. Nearly every enrollment will point a user to a mainstream OTP authenticator that then tries to tie this into the provider's backend. Google Authenticator has 100M downloads and a 3.8 rating, mostly due to cloud sync issues.
  4. It's more work for the end user: install an app, scan a code, verify the code, get your phone out every time you need to login (or when the security team calls you and asks you to read off the OTP to them).

If you've got a user's email and security concerns are low, I think sending them a magic link is probably as safe for most users as TOTP, easier to use and easier for developers to implement (no need to encrypt and manage shared secrets and users don't need a separate app).

For users in more security critical roles, Webauthn/Passkeys is the solution while OTP is actually a liability 2.

From personal experience I've moved every provider I can to Passkeys and haven't had much trouble. However it's clear from adoption rates that Passkeys are still not great for many users. But I think that's starting to change. For users with a password manager, like 1Password or Bitwarden (the beta on Testflight just added this on iOS and it works great), it's incredibly easy to use Passkeys now. It mostly just works, and works well.

While I think Passkeys still have many UX issues to solve, falling back to TOTP isn't an option. Put simply, if security is a big concern for your organization, YOU SHOULD NOT BE USING TOTP, or any OTP for that matter. For users that just want a simple 2FA solution, I think you'd be better off just using a simpler solution like magic links.

Footnotes

  1. https://www.schneier.com/blog/archives/2018/07/google_employee.html

  2. https://krebsonsecurity.com/2022/08/how-1-time-passcodes-became-a-corporate-liability/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants