[dyml]

You make a valid point about “non-resident” WebAuthn 2FA being great 2FA. However, passkeys are also great, and they depend on your context…. Most people are in the passkey context.

For people who are not knee-deep I think we can explain it a bit better, why passkeys replaces passwords:

With non-resident (2FA keys) you need to identify your account first. Since you don’t want to have account enumeration, this means doing a primary authentication, e.g. passwords.

With passkeys, the website can just ask your browser) to sign in with any of the accounts it has passkeys for; which result in a one click sign in.

While hardware backed Security Keys for 2FA is great 2FA, there’s a tangible cost, both in UX and $ that leaves many users left out (not everyone can afford $20 for a security key)

Source: I work at Bitwarden building our Passkey API for developers. We support both 2FA and passkeys, both in the API service and in our password manager. Feel free to ask my anything related.

[Borealid]

You don't need a password to prevent account enumeration; you can send people who choose a nonexistent account a bogus credential that the token won't accept.

You have to display the password prompt for invalid accounts to avoid enumeration without webauthn too...

[ivlad]

> Since you don’t want to have account enumeration, this means doing a primary authentication, e.g. passwords.

Nothing prevents site from sending a blob of random data when real key is not found.

> While hardware backed Security Keys for 2FA is great 2FA, there’s a tangible cost, both in UX and $ that leaves many users left out (not everyone can afford $20 for a security key)

Both major desktop operating systems come with WebAuthn support - Windows via Windows Hello and macOS with Secure Enclave backed key store. That not a problem at all in corp environment. Buying a Yubikey (or two) for each employee in the company is minimal cost comparing to laptop, desk, chair, software licenses

We use WebAuthn as the first factor, and we love it because it completely eliminated password brute force problem. Password attacks (brute force and stuffing) is a much bigger problem, than account enumeration, especially in corp environments where usernames follow a name-based pattern and everybody is on LinkedIn.

BTW, we are paid Bitwarden customer, and our Helpdesk was not too happy when Bitwarden update resulted unexpected prompt interrupting WebAuthn authentication flow for users. )

[TomatoDash]

A bit of a tangent but do you have a view on prices for hardware security keys like YubiKey? For private use they're a pricey option, especially if you get a few backup keys. Could a big actor like Google, if they wanted, scale up production, sell at cost and get prices down to say $2 each? Or is the components and manufacturing inherently more costly? Is there anything on the horizon that likely will bring much lower prices?

[arccy]

This is why they're pushing passkeys in phones' secure element with cloud account sync: getting people to keep a separate set of hardware keys is nigh impossible at scale.

[lxgr]

Sure, but why not preserve the option for people to use hardware keys?

Unfortunately, both the FIDO and WebAuthN working groups seem to be dead-set on making the hardware authenticator use case as painful as possible [1] [2] [3].

I just don't get it. Why even try to pretend that WebAuthN is a single API for both use cases when all stakeholders in charge seem to have given up on one of them?

[1] https://github.com/fido-alliance/how-to-fido/issues/16

[2] https://github.com/w3c/webauthn/issues/1612

[3] https://github.com/w3c/webauthn/issues/1822

[lxgr]

There is actually a path to $2 keys:

Most modern smartphones support contactless smartcards (a.k.a. "NFC"), which can be used as FIDO credentials. It should be possible to produce these for around $2 at scale.

They wouldn't work at computers, unfortunately (not even with an adapter, since desktop browsers and OSes don't expect to speak FIDO-over-ISO-7816-over-CTAP-over-USB), but with QR-based cross-platform flows now part of the specs, phones could pretty straightforwardly serve as readers for other devices.

If large issuers of ISO-based smart cards (e.g. banks or government authorities for biometric ID cards and passports) could be convinced to just throw a FIDO implementation on there (there's open-source ones available!), people could even use the cards they already own.

[crote]

Yubikey used to sell a simple Webauthn-only key for $10-$15. USB-only, no NFC or anything. It was blue instead of the standard black. That one was essentially killed when Passkeys became popular, because it didn't support resident keys. I believe some companies (Google? Github?) were giving them away for free.

Its replacement is $25, which is expensive enough to be an issue for poor people.

[ptman]

Affordable option: https://www.token2.com/shop/product/fido-bundle-2-x-fido2-us...

[TomatoDash]

Thanks, I'll look into that product. Less costly, but still far from the $2 scenario. If hardware keys got to a super low price point, or even handed out for free or bundled with new phones or PCs, I image lots of people would prefer them over passkeys.

[maxcoder4]

I am a yubikey user, but they are a terrible option for a normal person. Losing a hardware key means being locked out from all your accounts for real, and if cryptography taught me one thing it's that people are not responsible enough to manage their own keys (keep a backup key up to date, print recovery codes, etc)