Web Authentication (WebAuthn) API

EnerJiEnerJi
edited March 9 in Lounge

I'm pretty excited to see that WebAuthn got upgraded to a "Candidate Recommendation" in the W3C today. Major browser support is coming soon as well - Chrome (in stable channel by v67), Firefox, and Edge have all committed to implementing support this year.

Not sure if this will have any impact on 1Password but I think it's a promising move for web security overall. Hopefully major sites will not take too long to start adopting it (I imagine current Fido supporters like Google and Github will be among the first.)

It might be too soon to know, but if anyone has heard of major sites planning support for WebAuthn I would be quite interested to start an informal running list.

Here's today's press release with some additional details:
https://fidoalliance.org/fido-alliance-and-w3c-achieve-major-standards-milestone-in-global-effort-towards-simpler-stronger-authentication-on-the-web/


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • brentybrenty

    Team Member

    @EnerJi: It's definitely interesting. But as excited I get about nerdy stuff like this, it's always tempered by the fact that it's just not something the vast majority of humans will use. I love the technology here, and I think it's an important step toward a better future. Hopefully someday all of this will lead to something both secure and usable for everyone.

    I'd also be interested to know of sites that already support this, but I suspect that those who plan to will mostly just wait until browsers have support for this. I don't know if that's the chicken or the egg, but it's a good place to start I think. :)

  • dknopoffdknopoff
    edited April 2018

    Since Firefox and Chrome have already said they are planning to support WebAuthn for biometric passwords, I was wondering if 1Password plans to leverage this so we can use fingerprint unlock devices that support them.


    1Password Version: Not Provided
    Extension Version: X
    OS Version: Not Provided
    Sync Type: Not Provided

  • beyerbeyer

    Team Member

    Hey @dknopoff,

    It's too early for me to comment on WebAuthn, but from what I've seen it's well on its way to becoming an approved web standard by the W3C being that it's currently in the "candidate recommendation" stage.

    As you may know, both 1Password for Windows and Mac allow users to unlock using either Windows Hello or Touch ID. A more straightforward (relatively so) first step for us is to communicate and securely share a lock state with one of our native 1Password apps for folks who have them installed.

    I can't make any promises since we can't predict the future, but I think the fact that 1Password X exists is pretty decent evidence we love to build apps using the latest web technologies. Using Firefox as an example, 1Password X can't run on their stable version (59) – that's how new (at least to Firefox) the APIs we use are.

    Sorry that I couldn't give you a more direct answer, but answers for the future of 1Password change on a near-daily basis which really keeps things interesting around here. 🤘

    Cheers!

    &drew

  • @brenty I hope perhaps something like this will go truly mainstream, but it's probably a long way out. I agree it will probably take quite a while for the chicken/egg problem to be solved. I was perhaps a bit overoptimistic about this. Still something interesting to keep an eye on. :)

  • nbuucknbuuck
    edited April 2018

    I think WebAuthN has a good use case in 1Password as an alternative to the existing TOTP method of 2FA.

  • brentybrenty

    Team Member

    I hope perhaps something like this will go truly mainstream, but it's probably a long way out. I agree it will probably take quite a while for the chicken/egg problem to be solved. I was perhaps a bit overoptimistic about this. Still something interesting to keep an eye on. :)

    @EnerJi: Totally! Thanks for bringing it up. This is fascinating stuff, and part of the fun is seeing how things play out in the real world. :)

  • brentybrenty

    Team Member

    I think WebAuthN has a good use case in 1Password as an alternative to the existing TOTP method of 2FA.

    @nbuuck: Thanks for the feedback! We're interested to see how it pans out. Perhaps it will make sense for 1Password to use it — or something similar — in the future. :)

  • Web Authentication is being implemented in browsers - i wish i could just have 1password tap into this and have less steps logging in https://www.engadget.com/2018/05/30/chrome-67-web-authentication/

  • BenBen AWS Team

    Team Member

    Definitely something to consider for the future. :)

    Ben

  • looks like it's now officially accepted!

  • brentybrenty

    Team Member

    Yep! Nothing to announce with regard to 1Password, but we're always exploring different technologies to see if they might be a good fit. :)

  • I've just started implementing WebAuthn in a few internal apps, and this is the future. To be honest, I'm quite surprised it's taken us this long to standardize an imposter/eavesdropper-resistant approach to web authentication.

    I personally use (and soon my company will use) 1Password exclusively for user secret storage. Adding WebAuthn Authenticator functionality to 1Password would be spectacular for promoting general adoption of this superior technology, since the UX inside 1Password could be so similar between WebAuthn and passwords. Further, 1Password's zero-knowledge approach is far more desirable than say, Google's, which ships user credentials off to servers in a way that makes them susceptible to a breach, subpoenas, etc.

    This certainly isn't urgent... but it would be really cool to see 1Password lead the way in this!

    Related thread

  • brentybrenty

    Team Member
    edited March 9

    We really don't need more than one. I'll merge it. Thanks for sharing your experience! :)

  • I'm sooo looking forward to having FIDO2 adopted by 1Password and to using fingerprints / hardware keys for logging in or maybe just 2FA...
    Individual and Family plans too, not just for business.

  • Not a fan of biometrics, when one is compromised you lose a finger..... and that could be per device (so, I lose a finger for all apple devices) or if someone starts taking down fingerprint databases and generating the right hashes... I'll pass and stick to user id/password and a second factor like Yubikey. Even hardware token alone bugs me, like FIDO2. Since a coworker can just get my keys with my sec key! But WebAuth is just a way to communicate and not necessarily an authentication solution per se.

  • brentybrenty

    Team Member

    Biometrics, like many authentication methods, are very useful in addition to a secret that you have full control over -- especially since biometric data is not really secret, as you mentioned. I think it's tempting to get overly enthusiastic about new technologies because they're so dang cool, but with time we can all get a better handle on what they are (and are not) good for. :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file