slouchpie

slouchpie

Webauthn - what to do for lost passkeys?

I am experimenting with GitHub - liveshowy/webauthn_components: WebauthnComponents allows Phoenix developers to quickly add passwordless authentication to LiveView applications. · GitHub

I am wondering what to do when a user loses their passkey. Here is what I think should happen:

  1. “Lost passkey” button which un-hides an email input.
  2. Send a “create new passkey” email with some kind of link with a token
  3. Much like the process by which an email is confirmed, handle the “create new passkey” link in a controller and create a passkey if the token is right
  4. Upon successful passkey creation, login user and redirect to, say, home.

Does this sound right? @type1fool you are probably the best person to ask about this.

Marked As Solved

type1fool

type1fool

Hey @slouchpie! After a quick skim of the original post, I’d say it’s best to establish backup methods when an account is created and when a passkey is added. That could mean generating backup codes or encouraging registration of a second passkey or other auth method.

With the vulnerabilities of SMS, email, and OTP codes, and the unfamiliarity of Passkeys, it’s not always an easy choice. It really depends on the threat model of the application and its users.

Ideally, the user could register two passkeys, which would provide the most security. Practically, that may be complicated. WebauthnComponents doesn’t yet have examples for registering additional passkeys, but it could be implemented manually by following the example code. Secondary key registration is something I will tackle eventually if there hasn’t been a contribution from the community.

I may follow up in more detail later, but that’s hopefully informative.

Also Liked

slouchpie

slouchpie

Sorry for the necro but I have been working on the WebAuthn integration in my own project and I have some concrete principles for the future auth system. Sharing them here for posterity.

  1. Users need a unique, confirmed email. The “just passkeys” approach is valid but almost everyone has an Apple/Google device, which means an Apple/Google account, which means an email.
  2. Put each “flow” in its own LiveVIew (same as phx.gen.auth)
  3. Let the users decide if their email can be used for recovery.
  4. Let the users decide if backup codes can be used for recovery.
  5. Loudly tell the user if they have no recovery mechanism in place, prompt them to allow email recovery (this is just for my system, other apps will have different priorities).
  6. Let users manage their keys. I am considering how to add helpful info to them. I am already parsing the user agent with UAInspector so I might just use that. This should allow “create passkey”.
  7. If user signs in using “sign in with a different device” flow - can this be detected? Presumably yes. If so, prompt them to visit “manage keys” view with “create key on current device” action.

The best-laid plans, etc.

eahanson

eahanson

Yes, I’m using WebAuthn. When a user signs in on a new device, they are sent a one time code ([ab]using NimbleTOTP) just like when they signed up in the first place.

In the database, we allow multiple passkeys per user. This allows users to log in from multiple computers even if they can’t share passcodes between computers, and also allows users to delete all their passcodes and still be able to log in. When building the passkey flow, I created a lot of passkeys on my computer so it was really nice to be able to delete them all and still be able to log back in.

For one of my apps that uses passkeys, all users must supply an email address because there are a number of email-based workflows. In another app, email is not heavily used, so I like the idea of using backup codes and allowing users to not ever give us an email address.

type1fool

type1fool

Shout out to @slouchpie for making some valuable contributions over the past few weeks!

https://github.com/liveshowy/webauthn_components/pulls?q=is%3Apr+is%3Aclosed+author%3Apeaceful-james+

Where Next?

Popular in Questions Top

Harrisonl
We have an ECS cluster with 4 services, where each task joins a single cluster, via discovery ECS discovery service. Currently when I de...
New
gshaw
What is the idiomatic way of matching for not nil in Elixir? E.g., First way: defp halt_if_not_signed_in(conn, signed_in_account) when...
New
shahryarjb
Hello, I get Persian date from my client and convert it to normal calendar like this: def jalali_string_to_miladi_english_number(persi...
New
earth10
Hi, I’m just starting to build a side-project with Elixir and Phoenix and doing some basic test with Elixir alone. What strikes me is th...
New
jay1
Why is it that the mnesia database isn’t the most preferred database for use in Elixir/Phoenix?
New
Emily
I have VueJS GUIs with the project generated using Webpack. I have Elixir modules that will need to be used by the VueJS GUIs. I forese...
New
aalberti333
As the title describes, I’m trying to run Enum.map() over a list of key/value pairs, where the value is a map. My data looks like this: ...
New
fayddelight
I tried installing elixir 1.11.2 erlang 23.3.4 via asdf in my zsh shell. Enabled the versions locally and globally. When I list them ...
New
dblack
I’ve got an issue with an app and I’ve no idea of how to troubleshoot it. I’m hoping someone here might have seen something similar. I p...
New
komlanvi
Hi everyone, I was playing with phoenix liveView but I run into an issue. I have a form and want to validate each input text when the te...
New

Other popular topics Top

lastday4you
I wanted to check elixir version in phoenix because i found that my elixir is 1.5 but when i use Enum.chunk_by it said the function is un...
New
Patoshizzle
After calling mix ecto.create I get this error: 17:00:32.162 [error] GenServer #PID<0.412.0> terminating ** (Postgrex.Error) FATAL...
New
jerry
Good day to you all. I have been struggling to get a query involving like and ilike to work. Can anyone assist me on this, please? pro...
New
vonH
When I run the Plug and I recompile I wind up having to use Ctrl C to quit iex and start again. Witht the help of rlwrap I can use the cu...
New
Qqwy
Original source of discussion: This topic on the Pragmatic Programmers’ Functional Web Development with Elixir, OTP, and Phoenix forum. ...
New
axelson
This post is a wiki (feel free to hit the edit button near the bottom right of this post to add your own changes!) This post collects co...
239 47930 226
New
openscript
Hello! Sorry for this astonishing simple question, but I’m really stuck. I try to set up the intellij-elixir plugin, but I don’t know ho...
New
AstonJ
Seen any cool LiveView demos, sample apps or examples? Please post them here! :003:
New
hariharasudhan94
Lets say I have map like this fetching from my database %{"_id" => #BSON.ObjectId<58eb1a7a9ad169198c3dXXXX>, "email" => ...
New
svb
Hi! Currently I want to submit a form by pressing the Enter key. However, since my input field is of type “textarea” this is just adds a...
New

We're in Beta

About us Mission Statement