Web Authentication
This article is a stub. You can help the IndieWeb wiki by expanding it with relevant information.
Web Authentication (WebAuthn) is a W3C Recommendation for an API to access public key credentials, including for a browser, optionally with the use of a hardware key.
IndieAuth and WebAuthn
WebAuthn can be used as the authentication during an IndieAuth flow. Similarly to how WebAuthn doesn't replace the need for OAuth, WebAuthn doesn't replace the need for IndieAuth. WebAuthn takes the place of a password when authenticating to your account. In the context of IndieAuth, WebAuthn can be used as the way you log in to your own site, which then you can use with IndieAuth to log in to other sites.
You can implement them in either order, and implementing both is beneficial.
IndieWeb Examples
Examples of IndieWeb sites using WebAuthn to authenticate.
- Add yourself here... (see this for more details)
Implementations
Apple Passkey
Apple announced support for WebauthN on macOS Ventura, iOS 16 and iPadOS 16. [1]
Criticism
- 2018εΉ΄08ζ23ζ₯ Paragon: Security Concerns Surrounding WebAuthn: Don't Implement ECDAA (Yet)
See Also
- WebAuthn: A Developer's Guide to What's on the Horizon by Aaron Parecki
- 2018εΉ΄08ζ22ζ₯ Duo Security CEO: "Attackers are not hacking into your system, theyβre simply logging in."
What weβre likely to see in the future are sites starting to use Web Authentication, commonly known as "WebAuthn,"...
βDug Song - multi-factor authentication
- Criticism of Passkeys usability in particular: 2024εΉ΄12ζ30ζ₯ Ars Technica: Passkey technology is elegant, but itβs most definitely not usable security
- more usability criticisms of passkeys etc (turn these into citations with the template) 2024εΉ΄10ζ14ζ₯ Can Passkeys Replace Passwords / Timely idea faces deployment challenges; 2024εΉ΄04ζ08ζ₯ Big Tech passkey implementations are a trap; 2024εΉ΄09ζ09ζ₯ Passwords have problems, but passkeys have more; 2024εΉ΄02ζ08ζ₯ One does not simply implement passkeys
- 2025εΉ΄05ζ05ζ₯: Passkeys for Normal People