Passkey Reference Implementation #266
Replies: 1 comment 1 reply
-
A very interesting submission! Thank you! The UI looks great, I like the simple "Passkey" button with recognizable iconography. There's something that immediately stood out to me, though, as functionality that you should consider tweaking for better security: When you generate your login options you don't persist the challenge anywhere on the back end: Then, when you verify the response, you use the challenge set in the header by the front end: This goes against the spec's recommendation that an RP generate and store the challenge on the back end and only allow challenges to be used once, even if the verification fails: https://www.w3.org/TR/webauthn-2/#sctn-cryptographic-challenges
I'd recommend tweaking your implementation to, for example, set a session ID in an HTTP-only cookie on page load and use that to track which challenge should be used for verification when the authenticator response is passed back. Right now an attacker can simply spam responses at you with a challenge of their creation and your server would naively verify with the attacker-provided challenge. You want the auth logic to get to the point where only a challenge you know about can be signed over. |
Beta Was this translation helpful? Give feedback.
-
Hi SimpleWebAuthn community,
Sharing here my reference implementation for the passwordless registration/login flow - hope this gives you good ideas and makes the adoption of SimpleWebAuthn easier for you.
main project link: https://github.com/authcompanion/authcompanion2
Beta Was this translation helpful? Give feedback.
All reactions