|
|
|
|
|
|
by mcstempel
1341 days ago
|
|
|
As usual - it depends. There have been two main problems with WebAuthn as a primary factor. The first is that the UX experience of WebAuthn as a primary factor - either for "passwordless" or "usernameless" scenarios - has been pretty rough. The WebAuthn W3C group has put together a document that goes into far more detail [1]. One of the items out of that discussion was a standards change [2] that was merged in a few months ago. Now it's up to browser vendors to implement that change over the coming months and years. The second problem with WebAuthn is that device based authentication has been historically risky for consumer users long-term. It's unreasonable to expect an individual to have access to their phone, yubikey, or laptop over a period of years. In the B2B space, this isn't as big of a deal. Getting an IT admin that works for your company to reset your access and issue a new credential is not a complex problem. Not so in the B2C space. Devices get lost or stolen, and then the service operator needs to build out an alternative recovery method that needs to be as secure as WebAuthn (ideally, without infringing on the user's privacy via KYC methods). New developments like Apple's PassKeys are super interesting and have the potential to really be a game changer for B2C WebAuthn adoption. In summary, WebAuthn probably can't replace the password for your application today, unless your users are tech savvy and OK with the lock-out risk. However, the space going through some exciting changes and it may be much more feasible in a few years! [1] https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-Con...
[2] https://github.com/w3c/webauthn/pull/1576 |
|
|
Note that passkeys come out of the collaboration of many industry partners within FIDO and WebAuthn. I.e. it's not "Apple PassKeys" -- just "passkeys".
See for example https://fidoalliance.org/passkeys/
(disclaimer/context: I work on passkeys at Google)