[dcow]

Your tone is overly dismissive. If you want to be constructive then have a constructive conversation and not a dismissive knee jerk reaction. Your comment reads like “I haven’t read a standard for this or bothered to really take a look and it’s new therefore it’s fundamentally bad and insecure and not worth my time”. This repo is simply proposing using signed timestamps for auth. It would be nice to keep the discussion on that topic and it’s merits. Personally I think webauthn is not too complex and just needs to not be locked up in browser land so we can have a real softkey impl so we probably actually agree on our general outlook. You’re just kind a being a security diva about the whole thing and it’s not really fair to the author.

[md_]

Which part was knee jerk? I read everything on the (minimal) webpage. It doesn’t explain anything of substance, nor does it anticipate the (obvious) issues other commenters here noted. It’s like the author just proposed to remove everything they didn’t understand from Webauthn and was left with this.

Honestly, this discussion isn’t worth the time.

As for software webauthn keys:

- What do you mean “locked up in browser land?” You can use FIDO elsewhere (e.g. ssh https://ubuntu.com/blog/enhanced-ssh-and-fido-authentication...).

- Softkeys are available—in fact, iOS, Android, MacOS, and Windows 11 all do webauthn by default, without the need for a hardware token.

[dcow]

And what’s left is essentially wireguard for logins. People love wireguard for its simplicity because it doesn’t use certs and PAKEs and whatnot. Yeah there are valid criticisms and I’ve critiqued the work as well in other comments. But the “this is utter shit how could anyone imagine this is a valid idea” is not productive.

> Honestly, this discussion isn’t worth the time.

That’s my point. If it’s not worth your time then let others who are interested discuss rather than just pissing all over the author’s project.

> - Softkeys are available—in fact, iOS, Android, MacOS, and Windows 11 all do webauthn by default, without the need for a hardware token.

That’s not soft keys it’s “platform authenticator”.

When I say softkeys I mean keys managed by a user agent such that they can be portable, like is common with ssh. SSH is popular because it’s gives users the freedom to easily elect their security posture: do they want a user key that can be deployed to different devices or are they super paranoid and want a device key. Do they want a software agent to manage soft keys for them and it can handle the device security and hardware crypto engine support. Not your concern, not the protocols concern, not the services concern: it’s the user’s concern.

Wireguard has soft keys, too.

WebAuthn’s crowd and browser implementers on the other hand seem fixated on making sure users never have the option to deploy the protocol in such a way. That’s the problem.

[md_]

> People love wireguard for its simplicity because it doesn’t use certs and PAKEs and whatnot.

I don't know of a VPN that uses PAKE, so I don't get this comparison, but whatever.

My point about certs was that OP was effectively proposing self-signed X509 client certs. It's unclear to me in what way those are harder to use than the proposal here, except that they actually are a widely accepted standard with user agent support.

> WebAuthn’s crowd and browser implementers on the other hand seem fixated on making sure users never have the option to deploy the protocol in such a way. That’s the problem.

https://github.com/herrjemand/awesome-webauthn#software-auth...?

[dcow]

It kinda feels like you’re deliberately talking around my point. I’m not saying existing VPNs use PAKEs and it makes them bad. I’m saying you don't need a PAKE to have “modern” authentication. And look at wireguard which is loved for being a dead simple protocol that uses raw keypairs. Therefor it’s not absurd to imagine a very simple protocol like this.

You are correct that client certs have user agent support. Honestly it’s a pretty poor UX though. Have you actually tried building a consumer application that uses client certs in the browser? Good luck getting users to install client certs. Client certs work fine everywhere else where you can run bespoke client software (native apps) except for the part where they authenticate the connection and not the request, but that’s not the point either.

Anyway it’s great that other implementations of webauthn exist. But like I just said for client certs: outside of the browser anyone can do anything so webauthn is not a game changer there (not to downplay it). Where WebAuthn matters is for client authentication in the browser and in that arena it is locked down to platform auth and hardware device auth mechanisms. There is no way users could benefit from webauthn right now without the browser-supplied UX.

All I’m saying is that WebAuthn would be way more viable in the way people are asking for in this thread if for example browsers/platforms allowed extensions to participate as a soft WebAuthn agent so that users could choose their preferred WebAuthn backend and UX instead of the browser supplied options. The browser client cert UX sucks and so does browser vendor WebAuthn and I think their adoption story is all the proof you need.