WebAuthnLiveComponent - Passwordless Auth for LiveView Apps

Your Libraries & OS Mentoring Libraries
, , ,
17

Update

Thank you to everyone who has tried the updated component - it’s great to see the interest. Although interest is fairly low, it’s early days, and I’m glad to have the flexibility to make significant changes discussed below.

image
image1200×692 38.5 KB

My next updates will add telemetry and improve documentation for this somewhat convoluted authentication process. The public project shows completed and planned work for this repo.

RE: MFA

This clarifies things a bit. Now I understand you are also looking for multi factor authentication (MFA) for apps using phx.gen.auth or other implementations of traditional authentication.

Passkeys should be considered a more secure alternative to traditional authentication:

Based on industry standards for account authentication, passkeys are easier to use than passwords and far more secure. Adopt passkeys to give people a simple, secure way to sign in to your apps and websites across platforms — with no passwords required.

Passkeys Overview - Apple Developer

Once I am updating documentation, I will attempt to clearly distinguish between Passkeys and MFA.

For basic auth + MFA, WebAuthn does provide a better means of securing accounts than SMS, email, or one time password codes. However, I believe this would require a separate component since the flows are a bit different.

Multiple Keys

Your question is in line with thoughts I was having towards the end of the demo app update:

What if a user wants to add a secondary/backup/family/survivor key?

The answer seems to be splitting up the registration and authentication buttons into separate components. By doing so, it may be easier to support MFA for apps using traditional auth:

  • The registration component would need to accept user data.
  • It’s not clear yet whether the dedicated authentication component would also work well for MFA, or whether a separate component would be necessary.

Hello Again, World!

With this shift in component design, the time has come to retire the webauthn_live_component package and introduce webauthn_components. My hope is that this new package would be more flexible to the implementations we’ve discussed, possibly others.

5 Likes