[dcow]

I feel like this demo is just a conversation starter and not a serious attempt at a login scheme. Like, signing and verifying using ed25519 is not hard and adding a CLI to do some crypto operations is not novel. If someone was implementing this they wouldn't shell out anyway since there is very good library support in <insert your language of choice>. The only thing WebAuthn needs to figure out is soft keys. Users don't want to enroll devices they want to log in with face/touch ID. The webauthn UX is broken and needs to be revamped so that users can choose a not technically perfect but still effective and better than passwords security posture where they reuse a soft webauthn key across devices. If whatever agent handling the soft key encrypts it at rest using device keys you’re effectively isomorphic to “key never leaves the device”.

It would be nice if hardware devices supported a non-resident key mode where you could give it an encrypted key and it would decrypt the key on device memory using an on-device key and then use the decrypted key for a crypto operation (encryption or signing). Then you could get a pretty much perfectly isomorphic experience with a non-resident key.

[woodruffw]

> Users don't want to enroll devices they want to log in with face/touch ID. The webauthn UX is broken and needs to be revamped so that users can choose a not technically perfect but still effective and better than passwords security posture where they reuse a soft webauthn key across devices.

I'm not sure I understand the problem here. WebAuthn is entirely agnostic about the physical factor: it can be a hardware key, a software implementation, TouchID/FaceID, or anything else. You can already use TouchID and FaceID on sites that use WebAuthn, and the UX is perfectly fine. You still have to enroll the device, but that's no different from the Face/TouchID UX in any other authentication context.

[dcow]

The problem is device enrollment. I am saying users want to use FaceID to log in like they currently use a password. They don't want to enroll devices with a service. Browsers don’t support software webauthn so the fact that it can happen is kinda moot. The existing browser-controlled implementation of the UX is what I’m complaining about. There’s this assumption in the security community that users need hardware backed crypto and soft keys with an agent in-between aren’t acceptable. I’m saying for most all users a soft-key setup backed by hardware primitives works just fine and is better than password auth but lamenting that it’s unlikely we’ll see support it because of platform control under the guise of better security.

Think of it this way, users would be better off with ssh style login instead of passwords but the “industry” seems to have skipped that step for consumers and gone straight to hardware keys.

[inetknght]

> Users don't want to enroll devices they want to log in with face/touch ID.

Not all users. I'm a user. I want to log in with my SSH key because it's far more secure than my face or fingerprint.

[dcow]

Yeah sorry I should have qualified: average consumer users.