lastlogin-net/obligator

suggestion for future consideration: WebAuthN FIDO2 (passkeys)

OperativeThunny opened this issue · 1 comments

I have not done much digging into this project yet, but a suggestion I have after reading the readme file is in response to the blurb about sending a unique code to the email. The suggestion is to add a registration flow to confirm ownership of the email like you already are but then also allow linking that email to a FIDO2 token registration via webauthn, which is what passkeys use.

I suggest this because I use a variety of webauthn devices all the time now and I think that method of authenticating is much much better than passwords and is more convenient than clicking on a link sent to your email in my opinion. There are authenticator smartcards (my preference), USB tokens like yubikeys and the opensource derivatives, and of course now google and apple passkeys supported by the trusted platform modules or HSMs on the new phones.

Hi @OperativeThunny. The main problem with this is that obligator doesn't store any user data (all state is client side in JWT cookies), so there's nowhere to store a link between a webauthn key and an email address. If there's some way to store an email address in the key that could be interesting, but I don't believe that's possible.

This could be added in the future, but right now I'm trying to keep obligator as stateless as possible for performance and security reasons.