☕️ Insufficient Coffee

Trying Out Web Authentication (WebAuthn)

Published 2018-01-11

Web Authentication is now enabled in Firefox Nightly, with intent to ship in version 60.

WebAuthn provides two-factor authentication built on public-key cryptography – and unlike codes via smartphone apps or text messages, it’s immune to phishing as we know it today.

Trying it out

To get started playing around with it, I’ve some driver code available at https://webauthn.bin.coffee/. [Code] It’s all client-side javascript and shouldn’t necessarily be used to build real solutions, but you can give it a try. You just need a Yubikey, U2F Zero, or similar U2F device. (Brad Hill’s review of U2F devices is an excellent place to start, if you don’t already have one of these things.)

You can also try out https://webauthn.io/, which is written by some engineers at Duo. [Code]

WebAuthn.io prompt

Finally, Google has https://webauthndemo.appspot.com/ [Code]

Caution about jsfiddle, etc

Web Authentication is a powerful feature, as such it can only be used in Secure Contexts, and if used in a frame, only when all of the frames are from the same origin as the parent document. This means that you are likely to encounter security errors when experimenting with it on some popular testing websites (such as jsfiddle.net).

tl;dr

  • https://webauthndemo.appspot.com has code online at https://github.com/google/webauthndemo
  • https://webauthn.io/ has code online at https://github.com/duo-labs/webauthn
  • https://webauthn.bin.coffee/ is pure JS for fiddling, code online at https://github.com/jcjones/webauthn.bin.coffee