Reputation: 13
Detect if user authenticated with webauthn
Is it possible to detect (in client-side javascript running in a browser) if the user is authenticated via webauthn? not interested in if the browser supports webauthn or what the credentials are, but only interested if the authentication has occurred. i've looked thru the api at https://www.w3.org/TR/webauthn-2/ and experimented w/ the demo at https://webauthn.io/ but dont see if this is allowed.
i would need to detect this w/in a 3rd party script running on a website. So i dont have access to the code that would be implementing the webauthn. It would be easier for me to detect if the website is implementing MFA via webauthn, but i assume that is not possible; so as a fallback i am hoping i can detect if mfa authentication has occurred.
Upvotes: 1
Views: 1217
Answers (2)
Reputation: 617
So lets think about authentication in general. Authentication is a feature of a specific service, that is implemented in a specific way by the service. The user experience may be similar between Google and Facebook, but the flows, API, password hashing are unique to each provider.
To figure out if you can login to a website with a password, you need to go to a website, and see if it has login form for example.
Same way with WebAuthn. This is not some in-browser magic. If you want to see if you can use WebAuthn with a website, you need to try to login to a website and see if it is utilising WebAuthn API during the login.
WebAuthn API simply provides ability to generate credential, and get assertion(proof) for the credential. You may use this information to authentication user. How you do it exactly, and the process of performing validation is different for each service.
So in conclusion:
WebAuthn API does not have functionality to figure out if user is logged it, because this is not what WebAuthn API is for.
If you are interested in learning more about WebAuthn:
We have a cool guide: https://webauthn.guide/
A collection of useful resources: https://github.com/herrjemand/awesome-webauthn
And a deep dive into WebAuthn API: https://medium.com/webauthnworks/introduction-to-webauthn-api-5fd1fb46c285
Upvotes: 5
Reputation: 1230
This information can be conveyed in an authentication assertion such as a SAML assertion or OpenID Connect ID Token, using various claims:
- https://openid.net/specs/openid-connect-eap-acr-values-1_0-01.html#rfc.section.2
- http://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf
It could also be conveyed as a claim in an access token: https://www.rfc-editor.org/rfc/rfc9068.html#name-authentication-information-
Upvotes: -1
Related Questions
- How to detect if the browser has support for webauthn
- What is the correct way of find out if user is logged in in MVC WEB API?
- Retrieving WebAuthn Authorization Type
- how to check for WebAuthn platform-type authenticators?
- Detecting login credentials abuse
- getting user info if WebAPI is authenticated based on Client Credentials
- Web API OAUTH - Distinguish between if Identify Token Expired or UnAuthorized
- How to check if user is authenticated in Web API 2
- C# WebRequest Check if page requires HTTP Authentication
- Determine whether user is logged in