| I see a lot of confusion in this thread (warranted, because it's a confusing subject), and I want to clarify a few things: U2F is the old standard, it is only meant be used as a second factor. WebAuthn is the new standard, it has different modes for usage as a second factor, first factor and single factor (usernameless). Only the usernameless mode requires state on the client side. Usernameless strikes me as the holy grail of authentication, where we don't need to remember any usernames or passwords (or even have them), but I haven't seen any websites that support usernameless authentication, other than demo ones and my own. If you want to see what a usernameless flow looks like, you can visit https://www.deadmansswitch.net/. You have to log in with an email link first, and then associate your FIDO2 credential with it. You don't need a hardware key, for example on phones you can use your fingerprint reader and it will work fine. The problem with hardware keys, and which is not mentioned anywhere, is that because usernameless requires storage on the key, Yubikeys only support a maximum of 25 sites you can authenticate with. In order to further my goal of some day ditching password managers, I also made a Django library for usernameless logins which you can use today on your Django sites: https://pypi.org/project/django-webauthin/ |
> Your security key can't be used with this site
> www.deadmansswitch.net may require a newer or different kind of security key
This is with a Yubico Security Key 2 which I thought supported FIDO2.