Published on: 2025-Oct-29 at 21:59:25 Last updated on: 2025-Oct-31 at 11:27:03
I welcome the push for WebAuthn, but I am not going to use it nor promote it as an alternative for passwords.
Security Minimalism Table of Contents
What is it?
For those who are unfamiliar, WebAuthn (or Web Authentic…
Published on: 2025-Oct-29 at 21:59:25 Last updated on: 2025-Oct-31 at 11:27:03
I welcome the push for WebAuthn, but I am not going to use it nor promote it as an alternative for passwords.
Security Minimalism Table of Contents
What is it?
For those who are unfamiliar, WebAuthn (or Web Authentication) is a standard published by W3C.
The idea is to replace passwords with an authenticator. It can be a smartphone, a USB key, or some other cryptographic device. Yes, passkeys are a subset of it.
One cannot glance over the specification without raising eyebrows. It relies on an ideal scenario of user not loosing access to their possessions.
The problems
Loosing access
The most concerning part is Section 13.4.6. credential-loss-key-mobility:
This specification defines no protocol for backing up credential private keys, or for sharing them between authenticators. In general, it is expected that a credential private key never leaves the authenticator that created it. Losing an authenticator therefore, in general, means losing all credentials bound to the lost authenticator, which could lock the user out of an account if the user has only one credential registered with the Relying Party.
Most people in tech would be fine with it, we usually have multiple devices and backups and backups of backups, after all. Others not in tech, especially the younger and older generation, will have only one device, their smartphone.
The Section 13.4.6 also says this:
Instead of backing up or sharing private keys, the Web Authentication API allows registering multiple credentials for the same user. For example, a user might register platform credentials on frequently used client devices, and one or more roaming credentials for use as backup and with new or rarely used client devices.
This is disastrous because there will be no way to log in to the service if the sole device used for authentication is broke, stolen, or lost access to it in any way. The developers and companies implementing WebAuthn knows that, so they implement a fallback – password + 2FA.
Assume that we end up pushing both, and only allow people to use the WebAuthn if they register multiple credentials and avoid password. Everyone else can keep using their passwords. I guess that would be fine… until some natural disaster happens that wiped out everything the user has. But I guess they will have more things to worry about that time than loosing some accounts. But this is the best way we can implement WebAuthn right now.
Won’t work without JavaScript
WebAuthn also does not work without JavaScript, I have been following an issue/feature request about this that was closed and still has enough traction because people who care about web wants it.
When the implementation splits between browser and the web developer, the problem become even more worse. Because there are not many developers that implement specifications. Many just use a third-party library and call it a day. The recently, there was a Node.js supply chain attack that made the headline because it affected billions. We just can’t trust JavaScript from an unknown author. People conscious of privacy and security often block scripts one or the other way.
The Alternative
The alternative to WebAuthn is something people are familiar with, a Time-based one-time password (or TOTP). In my mind, it is superior, not just because we can back them up, but because it supports all platforms without browsers needing to implement yet another protocol.
TOTP is usually 6, 8 or more digits that invalidates within a set amount of time. Most people are familiar with 6 digit TOTP that expires in 30 seconds. That’s typically long enough for one to type it in if they cannot copy and paste it into… let’s say, your e-book. Most services cunningly allow you to enter TOTP from one iteration before to help the users with mobility issues to pass through. I can’t see a way to manually enter the WebAuthn credential in any form.
Another good thing about TOTP is that it works offline. You just need to ensure that whatever device you use has the correct time, so it is still better than those two-factor authentications that ask you to click on app notification or links send in email.
Conclusion
In conclusion, WebAuthn is extremely friendly to only a few sets of people: those who have multiple devices that can act as the authenticator, and only use supported devices and browsers. WebAuthn is security with restrictions, that is not what web was made for.
Any form of restriction becomes an accessibility issue, and becomes something that can only be solved by upgrading the system or buying new hardware. The web specifications are usually written as a progressive enhancement, and I don’t think WebAuthn fit that bill.
Let’s close this with a quote from Tim Berners-Lee, W3C Founding Director and inventor of the World Wide Web
The power of the Web is in its universality. Access by everyone regardless of disability is an essential aspect.
Interactions
No interactions yet.
Send a Webmention