Few open questions around FIDO2 webauthn and U2F
I've read in multiple places that since U2F doesn’t have a concept of a user it can be used as one of the factors for login (in MFA) but not ideal for passwordless whereas webauthn has the concept of users which could help with passwordless. My question is what is that extra that webauthn adds to allow this? Yes, we do pass user information when we create the credentials but in the end we're returned a credential id (which seems to be very similar to the keyhandle) and is used to associate the user (on the server). For what i understand, webauthn def has the advantage of working with different authenticators (not just U2F keys) but apart from that what exactly does webauthn add to make passwordless easier.
CTAP describes how the browser and operating system establish communications with a compliant authentication device over USB, NFC or BLE communication mediums. Could we say CTAP is an application layer protocol (like FTP?)
When i use the finger print feature on my android phone to verify using webauthn, is the browser communicating with the OS (which in turn pops up the authenticator) using CTAP2? Where does ufc, nfc, ble, internal come up here?
Here is a diagram for browser support for webauthn. In chrome/android, what does it mean to have stable support for WebAuthnAPI but In development support for CTAP2? Does it mean some authenticators wont be supported?
The spec specifically refers to it as an application layer protocol in the abstract:
The implementation from browser to browser and OS to OS will differ. Windows 10 now offers a native API which sits over the top of Windows Hello and standardises interactions with authenticator devices. Prior to this browsers on Windows had their own implementations and their own UIs. A given CTAP2 implementation would include support for 1 or more of the transports defined in the spec, each having a binding specific to the needs of that transport. The spec is worth a read.
Lack of CTAP2 support in the examples given above would mean that while you could use a backwards compatible FIDO2/CTAP2 compliant device you'd miss out on the added features of FIDO2 - primarily resident keys and thus the ability to have passwordless logins.
ETA: This artical is pretty good and has some nice diagrams: https://hybrismart.com/2019/05/23/authentication-with-hardware-security-keys-via-webauthn-in-sap-commerce-cloud/
- Is it possible to generate a WebAuthn attestation object?
- WebAuthn: Can't create public key. Promise is rejected
- Webauthn on localhost failed to pass navigator.credentials.get()
- Passkey assertion signature verification fail on iOS
- Challenge mismatch during authenticator attestion on iOS
- What options should I pass to node-cbor to decode WebAuthN passkey authenticatorData?
- Passkey Counter always 0 MacOS
- How to detect if the browser has support for webauthn
- What are the allowed RP IDs for the Public Key Credential create() and get()
- navigator.credentials is null on local server
- WebAuthn API not returning expected challenge token
- How to implement Passkeys
- How to remove WebAuthn credentials on Chrome MacOS?
- Webauthn - allowCredentials and credential selection
- Webauthn - How to validate/verify returned registration auth data using React + Node.js
- Is Chrome ignoring WebAuthentication "userVerification" setting?
- Webauthn: ReferenceError: Can't find variable: PublicKeyCredential
- Using IP address as relying party ID in passkey
- WebAuthn exclude pin from options
- How to distinguish FIDO2 devices
- Is it allowed to use an IPv4 as rp_id in webauthn credential creation options?
- How to properly extract public key from attestationObject?
- Android Chrome Skip "Use saved passkey" screen
- WebAuthn: Is it possible to filter passkey authenticators?
- WebAuthn: Does navigator.credentials.create() work from localhost to another (sub)domain?
- Can a chrome extension directly initiate the (chrome) WebAuthn / PassKey dialogue?
- How to set algorithms for PublicKeyCredentialCreationOptions webauthn-lib 4.7?
- android-safetynet attestation replacement in webauthn after deprecation
- WebAuthn: Is it possible to get public key from credentials.get
- Is it safe to use WebAuthN's credential ID?